[389-users] Only username as bind dn
Jonathan Vaughn
jonathan at creatuity.com
Wed Jan 15 17:54:09 UTC 2014
If you want to be able to map the simple username "myUser" to say,
"uid=myUser,cn=Users,dc=mycompany,dc=net", you probably are best off using
SSSD to handle that.
SSSD can be configured to know where to search and how to apply the
supplied username to the search (i.e. to look for anything under
cn=Users,dc=mycompany,dc=net where uid=[the supplied username]).
SSSD in turn provides a PAM module to talk to the SSSD daemon itself, which
is where you can hook up your PAM passthrough authentication.
i.e., we use SSSD for SSO login to our Linux machines, and have the
following lines (in addition to the usual stuff) in our pam.d/password-auth
:
auth sufficient pam_sss.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_sss.so
password sufficient pam_sss.so use_authtok
session optional pam_sss.so
On Wed, Jan 15, 2014 at 3:46 AM, Paolo Barbato <paolo.barbato at igi.cnr.it>wrote:
> Hi 389-users,
>
> I'm testing last released 389 dirsrv on a rhel 6.5.
>
> I've deployed a PAM passthrough, since I have a central repository for
> credentials, and it works.
>
> I guess if it would be possible to use a simple username or it's mandatory
> use syntax like uid=myuser (or cn=..) as bind dn.
>
> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "uid=myUser" -W -x
> works
>
> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "myUser" -W -x doesn't
> work
>
> ldap_bind: No such object (32)
> additional info: Bind DN [myUser] is invalid or not found
>
> So the question is if would be possible rewrite in some way the bind dn
> before syntax check.
>
> Regards,
> Paolo.
>
>
> ------------------------------------------------------------------------------------------------
> Paolo Barbato
>
> Consorzio RFX
> corso Stati Uniti,4
>
> Network Administrator
> phone: +39 049 8295097 fax: +39 049 8700718
>
> ------------------------------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20140115/a586e020/attachment.html>
More information about the 389-users
mailing list