On 01/16/2014 07:13 AM, Paolo Barbato wrote: > > On 16/gen/2014, at 15:52, Rich Megginson <rmeggins@xxxxxxxxxx> wrote: > >> On 01/16/2014 07:48 AM, Paolo Barbato wrote: >>> Hi Rich, >>> >>> On 16/gen/2014, at 15:28, Rich Megginson <rmeggins@xxxxxxxxxx> wrote: >>> >>>> On 01/16/2014 12:56 AM, Paolo Barbato wrote: >>>>> Thanks for replies, I think I need to better describe what I'm testing. >>>>> >>>>> As I said I've a central repository for credentials accessible via ldaps. >>>>> >>>>> 389dirsvr stores some information, but before get them I need that a user authenticate on the central repository. >>>>> >>>>> So I've activated and configured PAM Pass Through Authentication Plug-in, and following instructions creating a specific /etc/pam.d/ldapserver as well as /etc/pam_ldap.conf >>>>> >>>>> This is working, I mean that if I type >>>>> >>>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "uid=myUser" -W -x >>>>> >>>>> the PAM PTA strips myUser from binddn and use that as login username for PAM. >>>>> >>>>> Let me just say that in production I'll use a different repository based on Active DIrectory, so probably I'll use SSSD, as you suggest. >>>>> >>>>> The problem. >>>>> >>>>> If I use a command like >>>>> >>>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "myUser" -W -x >>>>> >>>>> it fails, since 389dirsrv makes a syntax check on binddn before pass stripped myUser value to PAM PTA >>>>> >>>>> This is really trye since I do not any attempt on ldap central repository access logs. >>>>> >>>>> Here my question : is it mandatory using as binddn (-D) a syntax like uid=myUser or cn=myUser, or is it possible to configure 389dirsrv to rewrite myUser in uid=myUser before process it ? >>>> No. The argument to -D must be a DN. >>>> >>> I suspect that, so you confirm that such a syntax control is performed by 389dirsrv . >> Yes. You can disable syntax and DN syntax checking, but that is strongly discouraged. >>> > ok ! >>>> There are SASL mechanisms that take a username instead of a DN. >>>> >>> Yes, I've tried that way using openldap and saslauthd, but also in that deployment I must always use uid=myUser as DN, since control syntax prevails. >> >> There are SASL mechanisms that allow you to use a username and not a bind DN. This should work with 389 and openldap and other directory servers that support those SASL mechanisms. In that case, you do not use -D "bind=dn" >> > > I've to further investigate this way.... > >>> >>> In my lab I use Stalker CGPro as mailer, that allow ldap bind, for example from thunderbird address book client, using only a username as bind dn. >> >> I wonder if that is an AD-ism? One of the many ways that AD violates LDAP is that it allows non-DNs to be used with -D. >> > Oh yes could be really that. So that ldap server get the username from -D non-DN without any particular check, and lookup for a match in the default subtree. Is that really so dangerous ? For thunderbird, I suspect the client side does an anonymous search for "uid=<username>" to find the full bind DN, which it then uses to perform the bind. > > Regards, > Paolo. > >>> >>> Regards, >>> Paolo. >>> >>> >>>>> >>>>> Regards, >>>>> Paolo. >>>>> >>>>> >>>>> >>>>> On 15/gen/2014, at 23:13, Dan Lavu <dan@xxxxxxxx> wrote: >>>>> >>>>>> Why are you using pam passthrough, what are you using as your authentication mechanism? SSSD has all commonly implemented authentication mechanisms. >>>>>> >>>>>> >>>>>> >>>>>> On 01/15/2014 12:54 PM, Jonathan Vaughn wrote: >>>>>>> If you want to be able to map the simple username "myUser" to say, "uid=myUser,cn=Users,dc=mycompany,dc=net", you probably are best off using SSSD to handle that. >>>>>>> SSSD can be configured to know where to search and how to apply the supplied username to the search (i.e. to look for anything under cn=Users,dc=mycompany,dc=net where uid=[the supplied username]). >>>>>>> >>>>>>> SSSD in turn provides a PAM module to talk to the SSSD daemon itself, which is where you can hook up your PAM passthrough authentication. >>>>>>> >>>>>>> i.e., we use SSSD for SSO login to our Linux machines, and have the following lines (in addition to the usual stuff) in our pam.d/password-auth : >>>>>>> >>>>>>> auth sufficient pam_sss.so use_first_pass >>>>>>> account [default=bad success=ok user_unknown=ignore] pam_sss.so >>>>>>> password sufficient pam_sss.so use_authtok >>>>>>> session optional pam_sss.so >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Jan 15, 2014 at 3:46 AM, Paolo Barbato <paolo.barbato@xxxxxxxxxx> wrote: >>>>>>> Hi 389-users, >>>>>>> >>>>>>> I'm testing last released 389 dirsrv on a rhel 6.5. >>>>>>> >>>>>>> I've deployed a PAM passthrough, since I have a central repository for credentials, and it works. >>>>>>> >>>>>>> I guess if it would be possible to use a simple username or it's mandatory use syntax like uid=myuser (or cn=..) as bind dn. >>>>>>> >>>>>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "uid=myUser" -W -x works >>>>>>> >>>>>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "myUser" -W -x doesn't work >>>>>>> >>>>>>> ldap_bind: No such object (32) >>>>>>> additional info: Bind DN [myUser] is invalid or not found >>>>>>> >>>>>>> So the question is if would be possible rewrite in some way the bind dn before syntax check. >>>>>>> >>>>>>> Regards, >>>>>>> Paolo. >>>>>>> >>>>>>> ------------------------------------------------------------------------------------------------ >>>>>>> Paolo Barbato >>>>>>> >>>>>>> Consorzio RFX >>>>>>> corso Stati Uniti,4 >>>>>>> >>>>>>> Network Administrator >>>>>>> phone: +39 049 8295097 fax: +39 049 8700718 >>>>>>> ------------------------------------------------------------------------------------------------ >>>>>>> >>>>>>> -- >>>>>>> 389 users mailing list >>>>>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> 389 users mailing list >>>>>>> >>>>>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>> ------------------------------------------------------------------------------------------------ >>>>> Paolo Barbato >>>>> >>>>> Consorzio RFX >>>>> corso Stati Uniti,4 >>>>> 35127 Padova - Italy >>>>> Network Administrator >>>>> phone: +39 049 8295097 fax: +39 049 8700718 >>>>> ------------------------------------------------------------------------------------------------ >>>>> >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>> -- >>>> 389 users mailing list >>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> ------------------------------------------------------------------------------------------------ >>> Paolo Barbato >>> >>> Consorzio RFX >>> corso Stati Uniti,4 >>> 35127 Padova - Italy >>> Network Administrator >>> phone: +39 049 8295097 fax: +39 049 8700718 >>> ------------------------------------------------------------------------------------------------ >>> >>> -- >>> 389 users mailing list >>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >> >> -- >> 389 users mailing list >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-users > > ------------------------------------------------------------------------------------------------ > Paolo Barbato > > Consorzio RFX > corso Stati Uniti,4 > 35127 Padova - Italy > Network Administrator > phone: +39 049 8295097 fax: +39 049 8700718 > ------------------------------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
