[389-users] Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?

Fri Aug 17 06:59:16 UTC 2012

Look in red hat docs. There you can find a lot of advices on schema
writing. But writing a schema is one thing but app to use it is another
issue.

Greg.

Send from htc desire z
17-08-2012 08:27, "Ray" <ray at renegade.zapto.org> napisał(a):

> Am 16.08.2012 20:16, schrieb Stephen Ingram:
>
>> On Thu, Aug 16, 2012 at 10:27 AM, Ray <ray at renegade.zapto.org> wrote:
>>
>>> Am 16.08.2012 19:03, schrieb Stephen Ingram:
>>>
>>>  On Thu, Aug 16, 2012 at 9:33 AM, Ray <ray at renegade.zapto.org> wrote:
>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> I posted this before without getting a response. I think the question
>>>>> is
>>>>> super simple to answer for LDAP experts. I'll try to rephrase the
>>>>> quiestion
>>>>> (in case it was unclear before...)
>>>>>
>>>>> I've geen googling quite a while on this topic trying all sorts of
>>>>> keyword
>>>>> combinations and found exactly nothing.
>>>>>
>>>>> LDAP appears to be commonplace, almost every server software I can
>>>>> think
>>>>> of
>>>>> comes with an LDAP authentication module. The services that use the
>>>>> directory may need have different user bases (i.e. not every Linux user
>>>>> needs to be an IMAP user also and not every IMAP user should
>>>>> automatically
>>>>> be able to SSH into servers).
>>>>>
>>>>> What is the right way to achieve the above?:
>>>>>
>>>>> 1) Have separate LDAP instances running, one for IMAP, the other one
>>>>> for
>>>>> Linux authentication. As there are some users that need both IMAP and
>>>>> Linux
>>>>> access, some users would need to be set up twice.
>>>>>
>>>>> 2) Have all users in one LDAP instance, and have different sets of
>>>>> attributes for IMAP and Linux authentication. Those users with IMAP
>>>>> access
>>>>> have their IMAP attributes filled in and those with Linux logins have
>>>>> their
>>>>> posix account settings filled with values. Some would have both. I do
>>>>> not
>>>>> see how to assign different passwords for the two services for this
>>>>> option.
>>>>> Is there a way?
>>>>>
>>>>> Are there any other options?
>>>>>
>>>>
>>>>
>>>> Generally the whole purpose of using a directory server (LDAP) is to
>>>> benefit from centralized and consistent configuration and
>>>> authentication. As such, most setups use the same user base for
>>>> everything (in your case IMAP access and shell logins). You just need
>>>> to point each service (login and IMAP) to your directory and filter
>>>> based on the existence of certain attributes. For example, only users
>>>> with the objectclass=mailRecipient would be allowed to login to your
>>>> IMAP mail store. This can easily be accomplished through the
>>>> authentication system of your IMAP software (one that supports LDAP
>>>> authentication).
>>>>
>>>> Steve
>>>>
>>>
>>>
>>> Many thanks for these insights, Steve!
>>>
>>> There are two more questions I have:
>>>
>>> * Is mailRecipient defined somewhere (schema?) or are these objectClasses
>>> free for me to choose?
>>>
>>
>> mailRecipient is already defined as part of the old Netscape mail
>> server schemas. I'm not sure if it's included in the default 389ds or
>> not. Ultimately, you can roll your own schemas, however, it not always
>> an easy task, and, thus many times easier to use an already available
>> schema.
>>
>
> Ok, I see. Rich: also thanks for your reply on this.
>
>  * Is there a way to have separate passwords for IMAP? Specifically I would
>>> like to run Cyrus-imap.
>>>
>>
>> No, there can only be one userpassword attribute. Out of curiosity,
>> why would you want your users to have to use different passwords for
>> each service? That sort of disposes of the whole idea of using LDAP
>> auth to begin with. And, yes, Cyrus-IMAP works perfectly with LDAP
>> authentication.
>>
>
> Steve & Rich:
>
> I prefer different passwords because of security concerns: If a user (with
> both IMAP and SSH access) hacks his/her mail password into a comprimised
> box (keylogger, for instance, internet café...), then the expected damage
> would be limited to the mail account only. If the same password works for
> SSH also, then it's possible to screw up all files of that user; worse
> even, if there is some rights-elevation bug around at the time - then the
> entire box might be at risk.
>
> Getting a second set of userpassword attributes then either would require
> me to run a second instance, or I would have to resort to the likes of
> sasldb for the mail side of things...
>
> Would there be a way to patch some schema file with an extra password
> attribute ("mailuserpassword")? I have absolutely no clue about schema
> writing though... is there something you can recommend me to read (book,
> website, ...) on this topic?
>
> Cheers,
> Ray
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.**org <389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.**org/mailman/listinfo/389-users<https://admin.fedoraproject.org/mailman/listinfo/389-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120817/a5133108/attachment.html>