Date: Fri, 16 Apr 2010 15:44:52 +0300 From: Valentin Bud <valentin.bud@gmail.com> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Requesting community opinion regarding security/pam_ldap groupdn and member_attribute Message-ID: <n2z139b44431004160544ze930d367wbbe5dfa6dfaf68ae@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello community, I am working these days on implementing a centralized authentication/authorization service for all the FBSD servers I have. I am using OpenLDAP to store the user and GOsa (https://oss.gonicus.de/) as a web frontend to administer the directory. To enable SSH/console authentication from LDAP I noticed that one can use security/pam_ldap from ports and net/nss_ldap so that the name service switch can get groups/passwd info from LDAP too. I have successfully configured OpenLDAP and created a user as follows: dn: cn=Valentin BUD,ou=people,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount sn: BUD givenName: Valentin uid: mtx cn: Valentin BUD homeDirectory: /home/mtx loginShell: /bin/tcsh uidNumber: 5001 gidNumber: 5001 gecos: Valentin BUD and a posixGroup as follows: dn: cn=ssh,ou=groups,ou=people,dc=example,dc=com objectClass: top objectClass: posixGroup cn: ssh gidNumber: 7000 description: SSH allowed users memberUid: mtx I have configured pam_ldap to honor group membership using pam_groupdn cn=ssh,ou=groups,ou=people,dc=example,dc=com pam_member_attribute memberUid The problem is that pam_ldap wants the memberUid attribute to contain the user's DN and there is no option to change this behavior. My question is: what is the argument behind this and do you think it should stay this way or could it be changed? In my case I really need pam_ldap to check just for UID not DN of a user in memberUid attribute. I have asked our friend google what does he has to say about this and found out that there is a patch on Debian which can be found here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341541 that gives the user the possibility to choose if the memberUid attribute holds the DN or UID. I would really like that feature so I have patched pam_ldap to no success and since my C programming skills are close to none I am stuck. Would you people think that the above patch would be useful? Please argument on this. How can I/we make that patch work? Thank you very much and a great day, v -- network warrior since 2005
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?n2z139b44431004160544ze930d367wbbe5dfa6dfaf68ae>