Re: LDAP Auth: Require user to be in specified LDAP-group
On 12/11/2012 11:11 AM, Guido Winkelmann wrote: Hi, I'm trying to integrate Jabberd2 into my single-account scheme using LDAP, and I'm running into problems with that. One of my requirements for this is that I need to be able to specify for every user exactly which services he or she is allowed to access, so that, for example, a user who only needs access to SMTP and IMAP services is not also automatically able to login via SSH or FTP. For the services I have running so far, I was able to implement this by creating a new LDAP group (with objectClass: groupOfNames) for each service and having every service check whether a freshly authenticated user is a member of the respective group for this service before granting access. Unfortunately, jabberd2 does not appear to support this (or PAM, which would have provided a nice workaround). Does anyone know of any other way to achieve this? I use pam with jabberd2: http://www.jabberdoc.org/section04_6.html And in pam I require a specific group, and I'm using LDAP as the account backend. Works like a charm. Eric.
Re: LDAP Auth: Require user to be in specified LDAP-group
Dnia 2012-12-11, wto o godzinie 17:11 +0100, Guido Winkelmann pisze: For the services I have running so far, I was able to implement this by creating a new LDAP group (with objectClass: groupOfNames) for each service and having every service check whether a freshly authenticated user is a member of the respective group for this service before granting access. Quoting https://github.com/jabberd2/jabberd2/blob/master/etc/c2s.xml.dist.in#L634 !-- Alternatively to uidattr/ and append-realm/ you may specify full LDAP search query/ that will be used to get user objects from directory. The following replacements take place: %u is replaced by user login name %r is replaced by user login realm When query/ is specified, uidattr/ and append-realm/ are unused and take no effect. -- !-- query(amp;(mail=%u@%r)(objectClass=inetOrgPerson))/query -- Isn't this wat you are looking for?
Re: LDAP Auth: Require user to be in specified LDAP-group
Am Dienstag, 11. Dezember 2012, 11:43:49 schrieb Eric V. Smith: On 12/11/2012 11:11 AM, Guido Winkelmann wrote: Hi, I'm trying to integrate Jabberd2 into my single-account scheme using LDAP, and I'm running into problems with that. One of my requirements for this is that I need to be able to specify for every user exactly which services he or she is allowed to access, so that, for example, a user who only needs access to SMTP and IMAP services is not also automatically able to login via SSH or FTP. For the services I have running so far, I was able to implement this by creating a new LDAP group (with objectClass: groupOfNames) for each service and having every service check whether a freshly authenticated user is a member of the respective group for this service before granting access. Unfortunately, jabberd2 does not appear to support this (or PAM, which would have provided a nice workaround). Does anyone know of any other way to achieve this? I use pam with jabberd2: http://www.jabberdoc.org/section04_6.html And in pam I require a specific group, and I'm using LDAP as the account backend. Works like a charm. Ah, so it does work! I was going by the example config file for c2s, which did not mention pam, so I thought it just wasn't supported... Anyway, I've been reading authreg_ldapfull.c for a bit, and while I'm not very familiar with the code base yet, it looks like simply implementing the group check feature right there would not be that hard. I think I will try my luck with that, and if it doesn't work out go back to PAM.
Re: LDAP Auth: Require user to be in specified LDAP-group
Am Dienstag, 11. Dezember 2012, 18:12:42 schrieb Guido Winkelmann: Am Dienstag, 11. Dezember 2012, 17:50:03 schrieb Tomasz Sterna: Dnia 2012-12-11, wto o godzinie 17:11 +0100, Guido Winkelmann pisze: For the services I have running so far, I was able to implement this by creating a new LDAP group (with objectClass: groupOfNames) for each service and having every service check whether a freshly authenticated user is a member of the respective group for this service before granting access. Quoting https://github.com/jabberd2/jabberd2/blob/master/etc/c2s.xml.dist.in#L634 !-- Alternatively to uidattr/ and append-realm/ you may specify full LDAP search query/ that will be used to get user objects from directory. The following replacements take place: %u is replaced by user login name %r is replaced by user login realm When query/ is specified, uidattr/ and append-realm/ are unused and take no effect. -- !-- query(amp;(mail=%u@%r)(objectClass=inetOrgPerson))/query -- Isn't this wat you are looking for? Hm, yes, but this is in that ldap-module (as opposed to ldapfull), which has its own problem: It does not allow me to specify the URI of the LDAP server as free form, so I cannot use the ldapi protocol. (The ldap server is running locally, listening on a unix socket, and I do not want to configure it to listen on any IP sockets.) Also, I think using filters to check whether a given user is part of a given group only works with AD but not with OpenLDAP, because the latter puts group members as attributes into the group object in the form of member attributes, while the former puts group memberships into the user objects in the form of memberOf attributes. Guido
