Re: [389-users] Only username as bind dn

Rich Megginson Thu, 16 Jan 2014 07:26:52 -0800

On 01/16/2014 08:13 AM, Paolo Barbato wrote:

On 16/gen/2014, at 15:52, Rich Megginson <[email protected]> wrote:

On 01/16/2014 07:48 AM, Paolo Barbato wrote:

Hi Rich,

On 16/gen/2014, at 15:28, Rich Megginson <[email protected]> wrote:

On 01/16/2014 12:56 AM, Paolo Barbato wrote:

Thanks for replies, I think I need to better describe what I'm testing.

As I said I've a central repository for credentials accessible via ldaps.

389dirsvr stores some information, but before get them I need that a user 
authenticate on the central repository.

So I've activated and configured PAM Pass Through Authentication Plug-in, and 
following instructions creating a specific /etc/pam.d/ldapserver as well as 
/etc/pam_ldap.conf

This is working, I mean that if I type

ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "uid=myUser" -W -x

the PAM PTA strips myUser from binddn and use that as login username for PAM.

Let me just say that in production I'll use a different repository based on 
Active DIrectory, so probably I'll use SSSD, as you suggest.

The problem.

If I use a command like

ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "myUser" -W -x

it fails, since 389dirsrv makes a syntax check on binddn before pass stripped 
myUser value to PAM PTA

This is really trye since I do not any attempt on ldap central repository 
access logs.

Here my question : is it mandatory using as binddn (-D) a syntax like 
uid=myUser or cn=myUser, or is it possible to configure 389dirsrv to rewrite 
myUser in uid=myUser before process it ?

No.  The argument to -D must be a DN.

I suspect that, so you confirm that such a syntax control is performed by 
389dirsrv .

Yes.  You can disable syntax and DN syntax checking, but that is strongly 
discouraged.

ok !

There are SASL mechanisms that take a username instead of a DN.

Yes, I've tried that way using openldap and saslauthd, but also in that 
deployment I must always use uid=myUser as DN, since control syntax prevails.

There are SASL mechanisms that allow you to use a username and not a bind DN.  This 
should work with 389 and openldap and other directory servers that support those SASL 
mechanisms.  In that case, you do not use -D "bind=dn"

I've to further investigate this way....

In my lab I use Stalker CGPro as mailer, that allow ldap bind, for example from 
thunderbird address book client, using only a username as bind dn.

I wonder if that is an AD-ism?  One of the many ways that AD violates LDAP is 
that it allows non-DNs to be used with -D.

Oh yes could be really that. So that ldap server get the username from -D 
non-DN  without any particular check, and lookup for a match in the default 
subtree. Is that really so dangerous ?

It is dangerous to violate standards, yes, if interoperability andconsistency is important.


Regards,
Paolo.

Regards,
Paolo.

Regards,
Paolo.



On 15/gen/2014, at 23:13, Dan Lavu <[email protected]> wrote:

Why are you using pam passthrough, what are you using as your authentication 
mechanism? SSSD has all commonly implemented authentication mechanisms.



On 01/15/2014 12:54 PM, Jonathan Vaughn wrote:

If you want to be able to map the simple username "myUser" to say, 
"uid=myUser,cn=Users,dc=mycompany,dc=net", you probably are best off using SSSD to handle 
that.
SSSD can be configured to know where to search and how to apply the supplied 
username to the search (i.e. to look for anything under 
cn=Users,dc=mycompany,dc=net where uid=[the supplied username]).

SSSD in turn provides a PAM module to talk to the SSSD daemon itself, which is 
where you can hook up your PAM passthrough authentication.

i.e., we use SSSD for SSO login to our Linux machines, and have the following 
lines (in addition to the usual stuff) in our pam.d/password-auth :

auth        sufficient    pam_sss.so use_first_pass
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
password    sufficient    pam_sss.so use_authtok
session     optional      pam_sss.so




On Wed, Jan 15, 2014 at 3:46 AM, Paolo Barbato <[email protected]> wrote:
Hi 389-users,

I'm testing last released 389 dirsrv on a rhel 6.5.

I've deployed a PAM passthrough, since I have a central repository for 
credentials, and it works.

I guess if it would be possible to use a simple username or it's mandatory use 
syntax like uid=myuser (or cn=..) as bind dn.

ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "uid=myUser" -W -x   works

ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "myUser" -W -x   doesn't work

ldap_bind: No such object (32)
         additional info: Bind DN [myUser] is invalid or not found

So the question is if would be possible rewrite in some way the bind dn before 
syntax check.

Regards,
Paolo.

------------------------------------------------------------------------------------------------
Paolo Barbato

Consorzio RFX
corso Stati Uniti,4

Network Administrator
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------

--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list

[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users

------------------------------------------------------------------------------------------------
Paolo Barbato

Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy                            
Network Administrator
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------

--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users

------------------------------------------------------------------------------------------------
Paolo Barbato

Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy                            
Network Administrator
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------

--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users

------------------------------------------------------------------------------------------------
Paolo Barbato

Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy                            
Network Administrator
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------

--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Only username as bind dn

Reply via email to