From owner-freebsd-questions@FreeBSD.ORG Sun Apr 18 06:25:26 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 104A5106566C for ; Sun, 18 Apr 2010 06:25:26 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: from mail-bw0-f214.google.com (mail-bw0-f214.google.com [209.85.218.214]) by mx1.freebsd.org (Postfix) with ESMTP id 8507F8FC14 for ; Sun, 18 Apr 2010 06:25:25 +0000 (UTC) Received: by bwz6 with SMTP id 6so3248820bwz.13 for ; Sat, 17 Apr 2010 23:25:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:received:message-id:subject:to:cc:content-type; bh=yZVRUQCtcpldSDaluoA+9DIV14vZGimmIgU9QJp9f4k=; b=jQzuxLOoIznb0mInS8Z38GKKp0NQXKQuE9TOh/FoEPJUaChWO41dxT+Kp2w/LAp1hn VNSBmfbpr3rAHCIX9ouYfk2i33z4gN/ds69ZE1VZ22t9QeZ/rpp3sn1wWdcmtCzbyyLL gePzGI23vxCh52PzfOyyC+4mawa+OSZkfvnBA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=DK4k/MokKZAsUxcRuDEcOQvtdSqyHAPwwC5Fp9RtLxejzaGh45Ocp72F9ovFtDB+rl X57TFUH2oxCEjMmxY979rixvVHOB83+4nCgY5qH+jNx0EnMusnuQyhAjslmjabfcQcSa M//EnTCWiT0kuBRp3N9zal0mj3e42i/20lPYQ= MIME-Version: 1.0 Received: by 10.204.143.2 with HTTP; Sat, 17 Apr 2010 23:25:04 -0700 (PDT) In-Reply-To: References: From: Valentin Bud Date: Sun, 18 Apr 2010 09:25:04 +0300 Received: by 10.204.144.153 with SMTP id z25mr3251579bku.198.1271571924228; Sat, 17 Apr 2010 23:25:24 -0700 (PDT) Message-ID: To: Alejandro Imass Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions Subject: Re: Requesting community opinion regarding security/pam_ldap groupdn and member_attribute X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Apr 2010 06:25:26 -0000 On Sat, Apr 17, 2010 at 4:13 PM, Alejandro Imass wrote: > On Fri, Apr 16, 2010 at 8:44 AM, Valentin Bud > wrote: > > Hello community, > > > > I am working these days on implementing a centralized > [...] > > > The problem is that pam_ldap wants the memberUid attribute to contain the > > user's DN and there is > > no option to change this behavior. > > > > Hmmm... > > > My question is: what is the argument behind this and do you think it > should > > stay this way or > > could it be changed? > > In my case I really need pam_ldap to check just for UID not DN of a user > in > > memberUid attribute. > > > > I think you are a bit confused here, because dn is not an attribute, > and you must revise RFCs 4510 to 4519,4530 (and others related). > > The DN is the Distinguished Name, which is basically the RDN + the DN > of the parent node..... let's see where should I start.... > > Ok, think of LDAP as 2 things: 1) a simple network protocol, 2) a > database model that stores "entries" in a tree fashion (the Directory > Information Tree or DIT). Each "entry" (the atomic unit in a DIT) has > to derive from at least one structural Object Class (or more) and zero > or more Auxiliary Classes. The structural class has one (or more - > though it's not very common) MUST attributes, which _usually_ make up > the entry's RDN (Relative Distinguished Name). So, the RDN is > _usually_ conformed of the principal MUST attribute of it's primary > structural class, and _usually_ it defines the "entry type"[1]. > > I say usually because entries commonly derive from several classes, > not just one, so in reallity you can use _any_ attribute for your RDN, > as long as you make sure it's unique among siblings (other entries > that share the same parent). When you position the entry in the DIT > you conform what is known as the DN, which is the attribute(s) that > conform the RDN + the DN of the parent node. It is also important to > note that, and not many people know this, that both the RDN and DN > could change during the life of an entry, and there is an operational > attribute called the entryUUID which is sort-of a unique identifier in > the DIT (RFC4530), and although it's not really meant to be used as a > day-to-day identifier, may prove useful when integrating LDAP data to > other data sources such as RDBMS. Oh, and entries can also have > multiple DNs ("Alias Names" RFC4512, sect 2.6). > > So, back to your question, the short answer is that to find an entry > in the DIT you HAVE TO use the dn, althoug the attribuites that > conform that dn are really up to you. For example, if your entry > derives from person and posixAccount you could use any of (or both) cn > and/or uid in the RDN. > > Best, > Alejandro Imass > > Notes: > [1] The entry type, of course is what you want it to be, though many > of your GUI tools will chose the principal atribute of the first > objectclass to show you the node (they seldomly use the complete dn, > so you kind-a think of that attribute as the "type" (organization, > person, ou, etc.), but that may be missleading....) > > > > I have asked our friend google what does he has to say about this and > found > > out that > > there is a patch on Debian which can be found here: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341541 > > that gives the user the possibility to choose if the memberUid attribute > > holds the DN or UID. > > I would really like that feature so I have patched pam_ldap to no success > > and since my C programming > > skills are close to none I am stuck. > > > > Would you people think that the above patch would be useful? Please > argument > > on this. How > > can I/we make that patch work? > > > > Thank you very much and a great day, > > v > > > > > > -- > > network warrior since 2005 > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > > > Hello Alejandro, Thank you for your explanation about LDAP. It has been helpful. My problem though is WHY (argumented) does pam_ldap want to see the DN of the entry which matched the search for the uid attribute in the memberUid attribute of the group I want to enforce users be a part of so they can login into the system using ssh. Since memberUid attribute holds the value of posix uid I think is not pretty correct to find there a DN relating to the standards. Thanks once again. A great day, v -- network warrior since 2005