[389-users] Only username as bind dn

Paolo Barbato paolo.barbato at igi.cnr.it
Mon Jan 20 07:34:11 UTC 2014 

Hi Nathan,

On 17/gen/2014, at 20:51, Nathan Kinder <nkinder at redhat.com> wrote:

> On 01/16/2014 07:13 AM, Paolo Barbato wrote:
>> 
>> On 16/gen/2014, at 15:52, Rich Megginson <rmeggins at redhat.com> wrote:
>> 
>>> On 01/16/2014 07:48 AM, Paolo Barbato wrote:
>>>> Hi Rich,
>>>> 
>>>> On 16/gen/2014, at 15:28, Rich Megginson <rmeggins at redhat.com> wrote:
>>>> 
>>>>> On 01/16/2014 12:56 AM, Paolo Barbato wrote:
>>>>>> Thanks for replies, I think I need to better describe what I'm testing.
>>>>>> 
>>>>>> As I said I've a central repository for credentials accessible via ldaps.
>>>>>> 
>>>>>> 389dirsvr stores some information, but before get them I need that a user authenticate on the central repository.
>>>>>> 
>>>>>> So I've activated and configured PAM Pass Through Authentication Plug-in, and following instructions creating a specific /etc/pam.d/ldapserver as well as /etc/pam_ldap.conf
>>>>>> 
>>>>>> This is working, I mean that if I type
>>>>>> 
>>>>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "uid=myUser" -W -x
>>>>>> 
>>>>>> the PAM PTA strips myUser from binddn and use that as login username for PAM.
>>>>>> 
>>>>>> Let me just say that in production I'll use a different repository based on Active DIrectory, so probably I'll use SSSD, as you suggest.
>>>>>> 
>>>>>> The problem.
>>>>>> 
>>>>>> If I use a command like
>>>>>> 
>>>>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "myUser" -W -x
>>>>>> 
>>>>>> it fails, since 389dirsrv makes a syntax check on binddn before pass stripped myUser value to PAM PTA
>>>>>> 
>>>>>> This is really trye since I do not any attempt on ldap central repository access logs.
>>>>>> 
>>>>>> Here my question : is it mandatory using as binddn (-D) a syntax like uid=myUser or cn=myUser, or is it possible to configure 389dirsrv to rewrite myUser in uid=myUser before process it ?
>>>>> No.  The argument to -D must be a DN.
>>>>> 
>>>> I suspect that, so you confirm that such a syntax control is performed by 389dirsrv .
>>> Yes.  You can disable syntax and DN syntax checking, but that is strongly discouraged.
>>>> 
>> ok !
>>>>> There are SASL mechanisms that take a username instead of a DN.
>>>>> 
>>>> Yes, I've tried that way using openldap and saslauthd, but also in that deployment I must always use uid=myUser as DN, since control syntax prevails.
>>> 
>>> There are SASL mechanisms that allow you to use a username and not a bind DN.  This should work with 389 and openldap and other directory servers that support those SASL mechanisms.  In that case, you do not use -D "bind=dn"
>>> 
>> 
>> I've to further investigate this way....
>> 
>>>> 
>>>> In my lab I use Stalker CGPro as mailer, that allow ldap bind, for example from thunderbird address book client, using only a username as bind dn.
>>> 
>>> I wonder if that is an AD-ism?  One of the many ways that AD violates LDAP is that it allows non-DNs to be used with -D.
>>> 
>> Oh yes could be really that. So that ldap server get the username from -D non-DN  without any particular check, and lookup for a match in the default subtree. Is that really so dangerous ? 
> 
> For thunderbird, I suspect the client side does an anonymous search for
> "uid=<username>" to find the full bind DN, which it then uses to perform
> the bind.
> 

from access and error log files it seems that bind is tried first, no anonymous lookup, and fails. I've used barbato as Bind DN in thunderbird ...same behavior if I try osx (10.9.1) Contacts app.

error.log 
[20/Jan/2014:08:27:44 +0100] pam_passthru-plugin - Bind DN [barbato] is invalid or not found
[20/Jan/2014:08:27:44 +0100] pam_passthru-plugin - <= handled (error 32 - No such object)

access.log[20/Jan/2014:08:27:44 +0100] conn=1 fd=64 slot=64 SSL connection from 150.178.3.7 to 192.168.60.23
[20/Jan/2014:08:27:44 +0100] conn=1 op=0 BIND dn="barbato" method=128 version=3
[20/Jan/2014:08:27:44 +0100] conn=1 op=0 RESULT err=32 tag=97 nentries=0 etime=0

So I thing Rich was right ...check syntax is tried first, and it's not possible rewrite bind dn before syntax check.

Regards,
Paolo.

>> 
>> Regards,
>> Paolo.
>> 
>>>> 
>>>> Regards,
>>>> Paolo.
>>>> 
>>>> 
>>>>>> 
>>>>>> Regards,
>>>>>> Paolo.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On 15/gen/2014, at 23:13, Dan Lavu <dan at lavu.net> wrote:
>>>>>> 
>>>>>>> Why are you using pam passthrough, what are you using as your authentication mechanism? SSSD has all commonly implemented authentication mechanisms.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On 01/15/2014 12:54 PM, Jonathan Vaughn wrote:
>>>>>>>> If you want to be able to map the simple username "myUser" to say, "uid=myUser,cn=Users,dc=mycompany,dc=net", you probably are best off using SSSD to handle that.
>>>>>>>> SSSD can be configured to know where to search and how to apply the supplied username to the search (i.e. to look for anything under cn=Users,dc=mycompany,dc=net where uid=[the supplied username]).
>>>>>>>> 
>>>>>>>> SSSD in turn provides a PAM module to talk to the SSSD daemon itself, which is where you can hook up your PAM passthrough authentication.
>>>>>>>> 
>>>>>>>> i.e., we use SSSD for SSO login to our Linux machines, and have the following lines (in addition to the usual stuff) in our pam.d/password-auth :
>>>>>>>> 
>>>>>>>> auth        sufficient    pam_sss.so use_first_pass
>>>>>>>> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
>>>>>>>> password    sufficient    pam_sss.so use_authtok
>>>>>>>> session     optional      pam_sss.so
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On Wed, Jan 15, 2014 at 3:46 AM, Paolo Barbato <paolo.barbato at igi.cnr.it> wrote:
>>>>>>>> Hi 389-users,
>>>>>>>> 
>>>>>>>> I'm testing last released 389 dirsrv on a rhel 6.5.
>>>>>>>> 
>>>>>>>> I've deployed a PAM passthrough, since I have a central repository for credentials, and it works.
>>>>>>>> 
>>>>>>>> I guess if it would be possible to use a simple username or it's mandatory use syntax like uid=myuser (or cn=..) as bind dn.
>>>>>>>> 
>>>>>>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "uid=myUser" -W -x   works
>>>>>>>> 
>>>>>>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "myUser" -W -x   doesn't work
>>>>>>>> 
>>>>>>>> ldap_bind: No such object (32)
>>>>>>>>        additional info: Bind DN [myUser] is invalid or not found
>>>>>>>> 
>>>>>>>> So the question is if would be possible rewrite in some way the bind dn before syntax check.
>>>>>>>> 
>>>>>>>> Regards,
>>>>>>>> Paolo.
>>>>>>>> 
>>>>>>>> ------------------------------------------------------------------------------------------------
>>>>>>>> Paolo Barbato
>>>>>>>> 
>>>>>>>> Consorzio RFX
>>>>>>>> corso Stati Uniti,4
>>>>>>>> 
>>>>>>>> Network Administrator
>>>>>>>> phone: +39 049 8295097 fax: +39 049 8700718
>>>>>>>> ------------------------------------------------------------------------------------------------
>>>>>>>> 
>>>>>>>> --
>>>>>>>> 389 users mailing list
>>>>>>>> 389-users at lists.fedoraproject.org
>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> --
>>>>>>>> 389 users mailing list
>>>>>>>> 
>>>>>>>> 389-users at lists.fedoraproject.org
>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>>> --
>>>>>>> 389 users mailing list
>>>>>>> 389-users at lists.fedoraproject.org
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>> ------------------------------------------------------------------------------------------------
>>>>>> Paolo Barbato
>>>>>> 
>>>>>> Consorzio RFX
>>>>>> corso Stati Uniti,4
>>>>>> 35127 Padova - Italy                     	
>>>>>> Network Administrator
>>>>>> phone: +39 049 8295097 fax: +39 049 8700718
>>>>>> ------------------------------------------------------------------------------------------------
>>>>>> 
>>>>>> --
>>>>>> 389 users mailing list
>>>>>> 389-users at lists.fedoraproject.org
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>> --
>>>>> 389 users mailing list
>>>>> 389-users at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>> ------------------------------------------------------------------------------------------------
>>>> Paolo Barbato
>>>> 
>>>> Consorzio RFX
>>>> corso Stati Uniti,4
>>>> 35127 Padova - Italy                     	
>>>> Network Administrator
>>>> phone: +39 049 8295097 fax: +39 049 8700718
>>>> ------------------------------------------------------------------------------------------------
>>>> 
>>>> --
>>>> 389 users mailing list
>>>> 389-users at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>> 
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> 
>> ------------------------------------------------------------------------------------------------
>> Paolo Barbato
>> 
>> Consorzio RFX
>> corso Stati Uniti,4                                  
>> 35127 Padova - Italy                     	                  
>> Network Administrator 
>> phone: +39 049 8295097 fax: +39 049 8700718
>> ------------------------------------------------------------------------------------------------
>> 
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> 
> 
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

------------------------------------------------------------------------------------------------
Paolo Barbato

Consorzio RFX
corso Stati Uniti,4                                  
35127 Padova - Italy                     	                  
Network Administrator 
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------

More information about the 389-users mailing list