[389-users] Greedy PAM
Gerrard.Geldenhuis at betfair.com
Tue Oct 19 09:07:52 UTC 2010
>From: 389-users-bounces at lists.fedoraproject.org [389-users-bounces at lists.fedoraproject.org] on behalf of Daniel Maher [dma+389users at witbe.net]
>Sent: 15 October 2010 16:12
>To: 389-users at lists.fedoraproject.org
>Subject: Re: [389-users] Greedy PAM
>On 10/15/2010 04:57 PM, Gerrard Geldenhuis wrote:
>> Is there a way to dynamically have search basis when queries for certain data is done.
>> How do you configure clients to be more selective when doing searches against a ldap directory.
>It depends entirely on the software doing the query. Here's an example
>from one of my Apache HTTPd configs :
Thanks, I have addded the following filters for PAM in /etc/ldap.conf
It works kind of but what I don't understand is that when a client authenticates against the directory server I see a ldapsearch request in wireshark for every single user. I am not sure if this a misconfiguration on my side or if PAM_LDAP is being greedy/lazy/buggy or where else the problem lies. I see a succesfull result for every ldap search request in LDAP so I am not sure why every user would need to be queried if only one user needs to authenticate.
We use a seperate user to speak to the Directory specified in /etc/ldap.conf. I am not sure if that would make a difference.
binddn uid=SysAuth,ou=Service Accounts,dc=mycompany
Any thoughts would be appreciated and suggestions for a nice tool to analyze LDAP conversations would be much appreciated. I am playing with dsniff and netsniff-ng.
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
More information about the 389-users