Re: Second password for SVN users

This is sometimes done with email accounts as well, since clear-text POP3 and IMAPv4 are often used without SSL encryption. So you don't want people using their domain or SSH logins over POP3 at a coffee shop.

Generally, you would solve this with a second, service-specific account. Let's say you have an account container like so:

ou=Users,ou=Accounts,<suffix>

Under ou=Users, you have your typical inetOrgPerson/posixAccount entries which are used for UNIX authentication and whatever else.

If you feel that these accounts may be exposed to some danger by services such as SVN, then you would create another container:

ou=SVN-Users,ou=Accounts,<suffix>

And define those user entries differently:

dn: uid=dustin,ou=SVN-Users,ou=Accounts,<suffix>
objectClass: ...
objectClass: posixAccount
objectClass: secondaryPosixAccount
uid: dustin
userPassword: blah

And to find them your SVN would use a filter such as:

(&(objectClass=secondaryPosixAccount)(uid=dustin))

You have some risk here because services, like pam_ldap, may reject logins if you don't configure them properly since they may do a simple filter like so:

(&(objectClass=posixAccount)(uid=dustin))

This will return two entries, so you won't authn. In that case you can tweak your AUX secondaryPosixAccount objectClass so that this stops being an issue:

dn: svnUid=dustin,ou=SVN-Users,ou=Accounts,<suffix>
objectClass: ...
objectClass: posixAccount
objectClass: secondaryPosixAccount
svnUid: dustin
userPassword: blah

That way the only filter that will return this entry would be:

(&(objectClass=secondaryPosixAccount)(svnUid=dustin))

pam_ldap and others won't die because:

(&(objectClass=posixAccount)(uid=dustin))

Would never return this entry.

Hmm, thinking on this further, if you were to extend posixAccount like this you would still have the problem that uid is required, so you have to either a) use another objectClass to extend like simpleSecurityObject, or b) build your uid for secondaryPosixAccount in a way that breaks the match, like so:

dn: svnUid=dustin,ou=SVN-Users,ou=Accounts,<suffix>
objectClass: ...
objectClass: posixAccount
objectClass: secondaryPosixAccount
uid: dustin-secondaryPosixAccount
svnUid: dustin
userPassword: blah

Option (a) is cleaner, but you could do (b). Regardless, this route probably provides the most viable solution for you.

Keep in mind that you now need to provision TWO accounts, one as the primary and one for SVN only. Assuming you have an IAM solution in place (even if it's homebrewed), this should be a no-brainer. (Yes, we do IAM.)

I hope this helps. :)

--
Dustin Puryear
President and Sr. Consultant
Puryear Information Technology, LLC
225-706-8414 x112
http://www.puryear-it.com

Author, "Best Practices for Managing Linux and UNIX Servers"
  http://www.puryear-it.com/pubs/linux-unix-best-practices/


Sébastien Barthélemy wrote:

Hello everybody,

I'm wondering if it is possible for a user to have multiple password stored in ldap.

For instance, I store accounts for my users in ldap and  want
them to access
 - unix servers using ssh
 - svn repositories (using apache/webdav)

For unix servers and ssh, no problem, one could bind ldap with pam and this use case is well documented.

Apache (and thus svn) also can be bound to pam. However, many svn client store user password in clear in some text file, which a serious security risk for my unix server. Thus I would prefer to have a separate password for svn.


Is it possible in a standard way ? (How) can I store an additional in my ldap schema ?

Is such use case documented somewhere ?


Thanks a lot for any help,

Sebastien Barthelemy.

PS: I'm a beginner here, all I know about ldap is the book LDAP system
administration, so please excuse me if my question is naive, and don't
hesitate to redirect me to the good documentation.

--
Sébastien Barthélemy

--- You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.

---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

Reply via email to