If you want to be able to map the simple username "myUser" to say, "uid=myUser,cn=Users,dc=mycompany,dc=net", you probably are best off using SSSD to handle that.

SSSD can be configured to know where to search and how to apply the supplied username to the search (i.e. to look for anything under cn=Users,dc=mycompany,dc=net where uid=[the supplied username]).

SSSD in turn provides a PAM module to talk to the SSSD daemon itself, which is where you can hook up your PAM passthrough authentication.

i.e., we use SSSD for SSO login to our Linux machines, and have the following lines (in addition to the usual stuff) in our pam.d/password-auth :

auth sufficient pam_sss.so use_first_pass

account [default=bad success=ok user_unknown=ignore] pam_sss.so

password sufficient pam_sss.so use_authtok

session optional pam_sss.so

On Wed, Jan 15, 2014 at 3:46 AM, Paolo Barbato <paolo.barbato@igi.cnr.it> wrote:

Hi 389-users,

I'm testing last released 389 dirsrv on a rhel 6.5.

I've deployed a PAM passthrough, since I have a central repository for credentials, and it works.

I guess if it would be possible to use a simple username or it's mandatory use syntax like uid=myuser (or cn=..) as bind dn.

ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "uid=myUser" -W -x works

ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "myUser" -W -x doesn't work

ldap_bind: No such object (32)
additional info: Bind DN [myUser] is invalid or not found

So the question is if would be possible rewrite in some way the bind dn before syntax check.

Regards,
Paolo.

------------------------------------------------------------------------------------------------
Paolo Barbato

Consorzio RFX
corso Stati Uniti,4

Network Administrator
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users