Ticket Navigation

Ticket #136 (new defect)

Opened 1 year ago

Last modified 1 year ago

user's cn needed as memberUid instead only uid

Reported by:	Mate Labadi <labadimate@freemail.hu>	Assigned to:	cdelfosse@mandriva.com
Priority:	normal	Milestone:
Component:	mmc-agent	Version:	2.1.0
Severity:	normal	Keywords:
Cc:

Description

There is a feature in pam_ldap that enables the OS to authenticate the user only in the case, when the user is a member of a certain group. This feature is called pam_groupdn.

But this only works, if the memberUid's value (in the ldap group) is the users full cn, instead of the form used in MDS (the uid only).

If I change manually the value of the memberUid in the group to be, for example, "uid=labadim,ou=Users,dc=example,dc=com", then the pam_groupdn feature is working as expected.

Here is the relevant part of my /etc/ldap.conf (this file is /etc/libnss-ldap.conf in Debian systems) pam_login_attribute uid pam_groupdn cn=blade1528,ou=Groups,dc=example,dc=com pam_member_attribute memberUid

And I also checked the relevant code from pam_ldap.c from http: //www.padl.com/download/pam_ldap.tgz. And it really checks for userdn instead of the uid: "

/* group auth, per Chris's pam_ldap_auth module */ if (session->conf->groupdn != NULL)

{

rc = ldap_compare_s (session->ld,

session->conf->groupdn, session->conf->groupattr,

session->info->userdn);

if (rc != LDAP_COMPARE_TRUE)

{

snprintf (buf, sizeof buf, "You must be a %s of %s to login.",

session->conf->groupattr, session->conf->groupdn);

_conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn); return PAM_PERM_DENIED;

}

else

rc = success;

}

Is there any special requirements, why the users uid is in the memberUid instead it's cn? If yes, do you guys know any workaround (beside changing memberUid's uid to cn manually).

Thanks in advance,

Mate Labadi labadimate@freemail.hu

Attachments

Change History

11/28/07 20:37:44 changed by andreas@mandriva.com.br

The syntax you refer to (use full DNs as group memberships) is defined in RFC2307bis (not published). With that syntax, a group looks like this: dn: cn=group,ou=group,dc=example,dc=com cn: group objectClass: groupOfNames objectClass: posixGroup member: uid=john,ou=people,dc=example,dc=com gidNumber: 12345

There are a few problems in using this today: - smbldap-tools doesn't support it - posixGroup is defined in RFC2307 as a structural class, which conflicts with groupOfNames. So you really need to use the RFC2307bis schema, and not the RFC2307 one (also called nis.schema) - nss_ldap, when used in this mode, does nested group lookups, which can quickly explode if you have many members in a group (see http: //bugzilla.padl.com/show_bug.cgi?id=319): each member will trigger another ldap lookup.

Note that you shouldn't just change the contents of memberUid to be a DN: the memberUid attribute was not designed to hold DNs.

For us, I believe the biggest obstacle now is smbldap-tools.

Add/Change #136 (user's cn needed as memberUid instead only uid)

Your email or username:

Comment (you may use WikiFormatting here):

Change Properties

Summary:
Type:
Priority:		Milestone:
Component:		Version:
Severity:		Keywords:
Cc:

Action leave as new
accept ticket
resolve as:
reassign to:

Download in other formats: