Re: Second password for SVN users
This is sometimes done with email accounts as well, since clear-text
POP3 and IMAPv4 are often used without SSL encryption. So you don't want
people using their domain or SSH logins over POP3 at a coffee shop.
Generally, you would solve this with a second, service-specific account.
Let's say you have an account container like so:
ou=Users,ou=Accounts,<suffix>
Under ou=Users, you have your typical inetOrgPerson/posixAccount entries
which are used for UNIX authentication and whatever else.
If you feel that these accounts may be exposed to some danger by
services such as SVN, then you would create another container:
ou=SVN-Users,ou=Accounts,<suffix>
And define those user entries differently:
dn: uid=dustin,ou=SVN-Users,ou=Accounts,<suffix>
objectClass: ...
objectClass: posixAccount
objectClass: secondaryPosixAccount
uid: dustin
userPassword: blah
And to find them your SVN would use a filter such as:
(&(objectClass=secondaryPosixAccount)(uid=dustin))
You have some risk here because services, like pam_ldap, may reject
logins if you don't configure them properly since they may do a simple
filter like so:
(&(objectClass=posixAccount)(uid=dustin))
This will return two entries, so you won't authn. In that case you can
tweak your AUX secondaryPosixAccount objectClass so that this stops
being an issue:
dn: svnUid=dustin,ou=SVN-Users,ou=Accounts,<suffix>
objectClass: ...
objectClass: posixAccount
objectClass: secondaryPosixAccount
svnUid: dustin
userPassword: blah
That way the only filter that will return this entry would be:
(&(objectClass=secondaryPosixAccount)(svnUid=dustin))
pam_ldap and others won't die because:
(&(objectClass=posixAccount)(uid=dustin))
Would never return this entry.
Hmm, thinking on this further, if you were to extend posixAccount like
this you would still have the problem that uid is required, so you have
to either a) use another objectClass to extend like
simpleSecurityObject, or b) build your uid for secondaryPosixAccount in
a way that breaks the match, like so:
dn: svnUid=dustin,ou=SVN-Users,ou=Accounts,<suffix>
objectClass: ...
objectClass: posixAccount
objectClass: secondaryPosixAccount
uid: dustin-secondaryPosixAccount
svnUid: dustin
userPassword: blah
Option (a) is cleaner, but you could do (b). Regardless, this route
probably provides the most viable solution for you.
Keep in mind that you now need to provision TWO accounts, one as the
primary and one for SVN only. Assuming you have an IAM solution in place
(even if it's homebrewed), this should be a no-brainer. (Yes, we do IAM.)
I hope this helps. :)
--
Dustin Puryear
President and Sr. Consultant
Puryear Information Technology, LLC
225-706-8414 x112
http://www.puryear-it.com
Author, "Best Practices for Managing Linux and UNIX Servers"
http://www.puryear-it.com/pubs/linux-unix-best-practices/
Sébastien Barthélemy wrote:
Hello everybody,
I'm wondering if it is possible for a user to have multiple password
stored in ldap.
For instance, I store accounts for my users in ldap and want
them to access
- unix servers using ssh
- svn repositories (using apache/webdav)
For unix servers and ssh, no problem, one could bind ldap with pam and
this use case is well documented.
Apache (and thus svn) also can be bound to pam. However, many svn client
store user password in clear in some text file, which a serious security
risk for my unix server. Thus I would prefer to have a separate password
for svn.
Is it possible in a standard way ? (How) can I store an additional in my
ldap schema ?
Is such use case documented somewhere ?
Thanks a lot for any help,
Sebastien Barthelemy.
PS: I'm a beginner here, all I know about ldap is the book LDAP system
administration, so please excuse me if my question is naive, and don't
hesitate to redirect me to the good documentation.
--
Sébastien Barthélemy
--- You are currently subscribed to [EMAIL PROTECTED] as:
[EMAIL PROTECTED] To unsubscribe send email to
[EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the
message.
---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
