From owner-freebsd-questions@FreeBSD.ORG Fri Apr 16 12:45:14 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 280931065670 for ; Fri, 16 Apr 2010 12:45:14 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: from mail-bw0-f214.google.com (mail-bw0-f214.google.com [209.85.218.214]) by mx1.freebsd.org (Postfix) with ESMTP id 71E538FC13 for ; Fri, 16 Apr 2010 12:45:13 +0000 (UTC) Received: by bwz6 with SMTP id 6so2300691bwz.13 for ; Fri, 16 Apr 2010 05:45:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:from:date:received :message-id:subject:to:content-type; bh=t2f6Tgi5fKUVc6bRqqICxhuEQVf7et8gAFbjegDC/j8=; b=GuMILjtkBJSBrYxDG7DmOZOoJjLgYz7v+F/tDGHHp8A1IXPJlSP0dBFWkuMHq2JaNi LP4JhGY+KVrF+QlkLdvdeRYUQ15HdPcNkZ66Ven1QKeDNXVo+a7ncTTIF0HRpT2oT5Ic Cc1j8u18BlLVK3tSitoOVg/xU+MFMA2RqMeeY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=CYM12zyyuvq/BUi6+iOkCpZdSy8+MW1K8w08TZavwzNCczD2SRiD6+VmqHgWWxEHQU JYu1lO4USf6tKnXT9fY3F/pLYgdPnVLkXuYoX4VJtdhVzSdFsPTD3iaVAn4T/dA5Pe5D 49K9LIYcOEY6M2qg4b5Gy5qUkrx0LB5ZgzXMw= MIME-Version: 1.0 Received: by 10.204.143.2 with HTTP; Fri, 16 Apr 2010 05:44:52 -0700 (PDT) From: Valentin Bud Date: Fri, 16 Apr 2010 15:44:52 +0300 Received: by 10.204.48.20 with SMTP id p20mr1760836bkf.56.1271421912249; Fri, 16 Apr 2010 05:45:12 -0700 (PDT) Message-ID: To: freebsd-questions Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Requesting community opinion regarding security/pam_ldap groupdn and member_attribute X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2010 12:45:14 -0000 Hello community, I am working these days on implementing a centralized authentication/authorization service for all the FBSD servers I have. I am using OpenLDAP to store the user and GOsa (https://oss.gonicus.de/) as a web frontend to administer the directory. To enable SSH/console authentication from LDAP I noticed that one can use security/pam_ldap from ports and net/nss_ldap so that the name service switch can get groups/passwd info from LDAP too. I have successfully configured OpenLDAP and created a user as follows: dn: cn=Valentin BUD,ou=people,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount sn: BUD givenName: Valentin uid: mtx cn: Valentin BUD homeDirectory: /home/mtx loginShell: /bin/tcsh uidNumber: 5001 gidNumber: 5001 gecos: Valentin BUD and a posixGroup as follows: dn: cn=ssh,ou=groups,ou=people,dc=example,dc=com objectClass: top objectClass: posixGroup cn: ssh gidNumber: 7000 description: SSH allowed users memberUid: mtx I have configured pam_ldap to honor group membership using pam_groupdn cn=ssh,ou=groups,ou=people,dc=example,dc=com pam_member_attribute memberUid The problem is that pam_ldap wants the memberUid attribute to contain the user's DN and there is no option to change this behavior. My question is: what is the argument behind this and do you think it should stay this way or could it be changed? In my case I really need pam_ldap to check just for UID not DN of a user in memberUid attribute. I have asked our friend google what does he has to say about this and found out that there is a patch on Debian which can be found here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341541 that gives the user the possibility to choose if the memberUid attribute holds the DN or UID. I would really like that feature so I have patched pam_ldap to no success and since my C programming skills are close to none I am stuck. Would you people think that the above patch would be useful? Please argument on this. How can I/we make that patch work? Thank you very much and a great day, v -- network warrior since 2005