user's cn needed as memberUid instead only uid

[Mate Labadi <labadimate@…>]

There is a feature in pam_ldap that enables the OS to authenticate the user only in the case, when the user is a member of a certain group. This feature is called pam_groupdn.

But this only works, if the memberUid's value (in the ldap group) is the users full cn, instead of the form used in MDS (the uid only).

If I change manually the value of the memberUid in the group to be, for example, "uid=labadim,ou=Users,dc=example,dc=com", then the pam_groupdn feature is working as expected.

Here is the relevant part of my /etc/ldap.conf (this file is /etc/libnss-ldap.conf in Debian systems) pam_login_attribute uid pam_groupdn cn=blade1528,ou=Groups,dc=example,dc=com pam_member_attribute memberUid

And I also checked the relevant code from pam_ldap.c from http: //www.padl.com/download/pam_ldap.tgz. And it really checks for userdn instead of the uid: "

/* group auth, per Chris's pam_ldap_auth module */ if (session->conf->groupdn != NULL)

{

rc = ldap_compare_s (session->ld,

session->conf->groupdn, session->conf->groupattr,

session->info->userdn);

if (rc != LDAP_COMPARE_TRUE)

{

snprintf (buf, sizeof buf, "You must be a %s of %s to login.",

session->conf->groupattr, session->conf->groupdn);

_conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn); return PAM_PERM_DENIED;

}

else

rc = success;

}

"

Is there any special requirements, why the users uid is in the memberUid instead it's cn? If yes, do you guys know any workaround (beside changing memberUid's uid to cn manually).

Thanks in advance,

Mate Labadi labadimate@…

[andreas@…]

The syntax you refer to (use full DNs as group memberships) is defined in RFC2307bis (not published). With that syntax, a group looks like this: dn: cn=group,ou=group,dc=example,dc=com cn: group objectClass: groupOfNames objectClass: posixGroup member: uid=john,ou=people,dc=example,dc=com gidNumber: 12345

There are a few problems in using this today: - smbldap-tools doesn't support it - posixGroup is defined in RFC2307 as a structural class, which conflicts with groupOfNames. So you really need to use the RFC2307bis schema, and not the RFC2307 one (also called nis.schema) - nss_ldap, when used in this mode, does nested group lookups, which can quickly explode if you have many members in a group (see http: //bugzilla.padl.com/show_bug.cgi?id=319): each member will trigger another ldap lookup.

Note that you shouldn't just change the contents of memberUid to be a DN: the memberUid attribute was not designed to hold DNs.

For us, I believe the biggest obstacle now is smbldap-tools.

[sasha@…]

To use Fedora Directory Server (FDC) with MMC - same situation. I am going to create a ticket for this issue. FDC uses

objectClass: groupOfUniqueNames

and

uniqueMember: uid=user,ou=Users,dc=example,dc=com

notation instead of

memberUid: user

in MMC.