Greedy PAM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>________________________________________
>From: 389-users-bounces at lists.fedoraproject.org [389-users-bounces at lists.fedoraproject.org] on behalf of Daniel Maher [dma+389users at witbe.net]
>Sent: 15 October 2010 16:12
>To: 389-users at lists.fedoraproject.org
>Subject: Re: Greedy PAM
>
>On 10/15/2010 04:57 PM, Gerrard Geldenhuis wrote:
>
>> Is there a way to dynamically have search basis when queries for certain data is done.
>
>Yes.
>
>> How do you configure clients to be more selective when doing searches against a ldap directory.
>
>It depends entirely on the software doing the query.  Here's an example
>from one of my Apache HTTPd configs :
>
>AuthLDAPURL
>"ldap://<server>/ou=People,dc=franceix,dc=net?uid??(|(gidNumber=10000)(gidNumber=11000))"

Thanks, I have addded the following filters for PAM in /etc/ldap.conf

nss_base_passwd         ou=people,dc=mycompany?sub
nss_base_group          ou=Groups,dc=mycompany?sub
nss_base_group          ou=PrivateGroups,dc=mycompany?sub
nss_base_group          ou=SystemGroups,dc=mycompany?sub

It works kind of but what I don't understand is that when a client authenticates against the directory server I see a ldapsearch request in wireshark for every single user. I am not sure if this a misconfiguration on my side or if PAM_LDAP is being greedy/lazy/buggy or where else the problem lies. I see a succesfull result for every ldap search request in LDAP so I am not sure why every user would need to be queried if only one user needs to authenticate. 


We use a seperate user to speak to the Directory specified in /etc/ldap.conf. I am not sure if that would make a difference.

binddn          uid=SysAuth,ou=Service Accounts,dc=mycompany

Any thoughts would be appreciated and suggestions for a nice tool to analyze LDAP conversations would be much appreciated. I am playing with dsniff and netsniff-ng. 

Best Regards

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux