From owner-freebsd-questions@FreeBSD.ORG Sat Apr 17 13:13:21 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92DA4106566B for ; Sat, 17 Apr 2010 13:13:21 +0000 (UTC) (envelope-from aimass@yabarana.com) Received: from mail-qy0-f199.google.com (mail-qy0-f199.google.com [209.85.221.199]) by mx1.freebsd.org (Postfix) with ESMTP id 532488FC29 for ; Sat, 17 Apr 2010 13:13:20 +0000 (UTC) Received: by qyk37 with SMTP id 37so3021652qyk.8 for ; Sat, 17 Apr 2010 06:13:20 -0700 (PDT) MIME-Version: 1.0 Sender: aimass@yabarana.com Received: by 10.229.88.12 with HTTP; Sat, 17 Apr 2010 06:13:20 -0700 (PDT) In-Reply-To: References: Date: Sat, 17 Apr 2010 09:13:20 -0400 X-Google-Sender-Auth: 6f75ecdb3f1f2270 Received: by 10.229.222.12 with SMTP id ie12mr642581qcb.77.1271510000151; Sat, 17 Apr 2010 06:13:20 -0700 (PDT) Message-ID: From: Alejandro Imass To: Valentin Bud Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions Subject: Re: Requesting community opinion regarding security/pam_ldap groupdn and member_attribute X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Apr 2010 13:13:21 -0000 On Fri, Apr 16, 2010 at 8:44 AM, Valentin Bud wrot= e: > Hello community, > > =A0I am working these days on implementing a centralized [...] > The problem is that pam_ldap wants the memberUid attribute to contain the > user's DN and there is > no option to change this behavior. > Hmmm... > My question is: what is the argument behind this and do you think it shou= ld > stay this way or > could it be changed? > In my case I really need pam_ldap to check just for UID not DN of a user = in > memberUid attribute. > I think you are a bit confused here, because dn is not an attribute, and you must revise RFCs 4510 to 4519,4530 (and others related). The DN is the Distinguished Name, which is basically the RDN + the DN of the parent node..... let's see where should I start.... Ok, think of LDAP as 2 things: 1) a simple network protocol, 2) a database model that stores "entries" in a tree fashion (the Directory Information Tree or DIT). Each "entry" (the atomic unit in a DIT) has to derive from at least one structural Object Class (or more) and zero or more Auxiliary Classes. The structural class has one (or more - though it's not very common) MUST attributes, which _usually_ make up the entry's RDN (Relative Distinguished Name). So, the RDN is _usually_ conformed of the principal MUST attribute of it's primary structural class, and _usually_ it defines the "entry type"[1]. I say usually because entries commonly derive from several classes, not just one, so in reallity you can use _any_ attribute for your RDN, as long as you make sure it's unique among siblings (other entries that share the same parent). When you position the entry in the DIT you conform what is known as the DN, which is the attribute(s) that conform the RDN + the DN of the parent node. It is also important to note that, and not many people know this, that both the RDN and DN could change during the life of an entry, and there is an operational attribute called the entryUUID which is sort-of a unique identifier in the DIT (RFC4530), and although it's not really meant to be used as a day-to-day identifier, may prove useful when integrating LDAP data to other data sources such as RDBMS. Oh, and entries can also have multiple DNs ("Alias Names" RFC4512, sect 2.6). So, back to your question, the short answer is that to find an entry in the DIT you HAVE TO use the dn, althoug the attribuites that conform that dn are really up to you. For example, if your entry derives from person and posixAccount you could use any of (or both) cn and/or uid in the RDN. Best, Alejandro Imass Notes: [1] The entry type, of course is what you want it to be, though many of your GUI tools will chose the principal atribute of the first objectclass to show you the node (they seldomly use the complete dn, so you kind-a think of that attribute as the "type" (organization, person, ou, etc.), but that may be missleading....) > I have asked our friend google what does he has to say about this and fou= nd > out that > there is a patch on Debian which can be found here: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D341541 > that gives the user the possibility to choose if the memberUid attribute > holds the DN or UID. > I would really like that feature so I have patched pam_ldap to no success > and since my C programming > skills are close to none I am stuck. > > Would you people think that the above patch would be useful? Please argum= ent > on this. How > can I/we make that patch work? > > Thank you very much and a great day, > v > > > -- > network warrior since 2005 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" >