On 16/gen/2014, at 15:52, Rich Megginson <rmeggins(a)redhat.com> wrote:
On 01/16/2014 07:48 AM, Paolo Barbato wrote:
> Hi Rich,
>
> On 16/gen/2014, at 15:28, Rich Megginson <rmeggins(a)redhat.com> wrote:
>
>> On 01/16/2014 12:56 AM, Paolo Barbato wrote:
>>> Thanks for replies, I think I need to better describe what I'm testing.
>>>
>>> As I said I've a central repository for credentials accessible via
ldaps.
>>>
>>> 389dirsvr stores some information, but before get them I need that a user
authenticate on the central repository.
>>>
>>> So I've activated and configured PAM Pass Through Authentication Plug-in,
and following instructions creating a specific /etc/pam.d/ldapserver as well as
/etc/pam_ldap.conf
>>>
>>> This is working, I mean that if I type
>>>
>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D
"uid=myUser" -W -x
>>>
>>> the PAM PTA strips myUser from binddn and use that as login username for
PAM.
>>>
>>> Let me just say that in production I'll use a different repository based
on Active DIrectory, so probably I'll use SSSD, as you suggest.
>>>
>>> The problem.
>>>
>>> If I use a command like
>>>
>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D
"myUser" -W -x
>>>
>>> it fails, since 389dirsrv makes a syntax check on binddn before pass stripped
myUser value to PAM PTA
>>>
>>> This is really trye since I do not any attempt on ldap central repository
access logs.
>>>
>>> Here my question : is it mandatory using as binddn (-D) a syntax like
uid=myUser or cn=myUser, or is it possible to configure 389dirsrv to rewrite myUser in
uid=myUser before process it ?
>> No. The argument to -D must be a DN.
>>
> I suspect that, so you confirm that such a syntax control is performed by 389dirsrv
.
Yes. You can disable syntax and DN syntax checking, but that is strongly discouraged.
>
ok !
>> There are SASL mechanisms that take a username instead of a
DN.
>>
> Yes, I've tried that way using openldap and saslauthd, but also in that
deployment I must always use uid=myUser as DN, since control syntax prevails.
There are SASL mechanisms that allow you to use a username and not a bind DN. This
should work with 389 and openldap and other directory servers that support those SASL
mechanisms. In that case, you do not use -D "bind=dn"
I've to further investigate this way....
>
> In my lab I use Stalker CGPro as mailer, that allow ldap bind, for example from
thunderbird address book client, using only a username as bind dn.
I wonder if that is an AD-ism? One of the many ways that AD violates LDAP is that it
allows non-DNs to be used with -D.
Oh yes could be really that. So that ldap server get the username from -D non-DN
without any particular check, and lookup for a match in the default subtree. Is that
really so dangerous ?
Regards,
Paolo.
>
> Regards,
> Paolo.
>
>
>>>
>>> Regards,
>>> Paolo.
>>>
>>>
>>>
>>> On 15/gen/2014, at 23:13, Dan Lavu <dan(a)lavu.net> wrote:
>>>
>>>> Why are you using pam passthrough, what are you using as your
authentication mechanism? SSSD has all commonly implemented authentication mechanisms.
>>>>
>>>>
>>>>
>>>> On 01/15/2014 12:54 PM, Jonathan Vaughn wrote:
>>>>> If you want to be able to map the simple username "myUser"
to say, "uid=myUser,cn=Users,dc=mycompany,dc=net", you probably are best off
using SSSD to handle that.
>>>>> SSSD can be configured to know where to search and how to apply the
supplied username to the search (i.e. to look for anything under
cn=Users,dc=mycompany,dc=net where uid=[the supplied username]).
>>>>>
>>>>> SSSD in turn provides a PAM module to talk to the SSSD daemon itself,
which is where you can hook up your PAM passthrough authentication.
>>>>>
>>>>> i.e., we use SSSD for SSO login to our Linux machines, and have the
following lines (in addition to the usual stuff) in our pam.d/password-auth :
>>>>>
>>>>> auth sufficient pam_sss.so use_first_pass
>>>>> account [default=bad success=ok user_unknown=ignore] pam_sss.so
>>>>> password sufficient pam_sss.so use_authtok
>>>>> session optional pam_sss.so
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Jan 15, 2014 at 3:46 AM, Paolo Barbato
<paolo.barbato(a)igi.cnr.it> wrote:
>>>>> Hi 389-users,
>>>>>
>>>>> I'm testing last released 389 dirsrv on a rhel 6.5.
>>>>>
>>>>> I've deployed a PAM passthrough, since I have a central
repository for credentials, and it works.
>>>>>
>>>>> I guess if it would be possible to use a simple username or it's
mandatory use syntax like uid=myuser (or cn=..) as bind dn.
>>>>>
>>>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D
"uid=myUser" -W -x works
>>>>>
>>>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D
"myUser" -W -x doesn't work
>>>>>
>>>>> ldap_bind: No such object (32)
>>>>> additional info: Bind DN [myUser] is invalid or not found
>>>>>
>>>>> So the question is if would be possible rewrite in some way the bind
dn before syntax check.
>>>>>
>>>>> Regards,
>>>>> Paolo.
>>>>>
>>>>>
------------------------------------------------------------------------------------------------
>>>>> Paolo Barbato
>>>>>
>>>>> Consorzio RFX
>>>>> corso Stati Uniti,4
>>>>>
>>>>> Network Administrator
>>>>> phone: +39 049 8295097 fax: +39 049 8700718
>>>>>
------------------------------------------------------------------------------------------------
>>>>>
>>>>> --
>>>>> 389 users mailing list
>>>>> 389-users(a)lists.fedoraproject.org
>>>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> 389 users mailing list
>>>>>
>>>>> 389-users(a)lists.fedoraproject.org
>>>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>> --
>>>> 389 users mailing list
>>>> 389-users(a)lists.fedoraproject.org
>>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
------------------------------------------------------------------------------------------------
>>> Paolo Barbato
>>>
>>> Consorzio RFX
>>> corso Stati Uniti,4
>>> 35127 Padova - Italy
>>> Network Administrator
>>> phone: +39 049 8295097 fax: +39 049 8700718
>>>
------------------------------------------------------------------------------------------------
>>>
>>> --
>>> 389 users mailing list
>>> 389-users(a)lists.fedoraproject.org
>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>
------------------------------------------------------------------------------------------------
> Paolo Barbato
>
> Consorzio RFX
> corso Stati Uniti,4
> 35127 Padova - Italy
> Network Administrator
> phone: +39 049 8295097 fax: +39 049 8700718
>
------------------------------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
------------------------------------------------------------------------------------------------
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------