From: Chris Berger<ch_ri...@bigfoot.com>
Date: Thu, 6 Aug 2009 14:57:46 +0200

Hi,

I have a question regarding LDAP structure and multiple cn of entries.
My context : the directory is used by pam_ldap and freeradius for
authentication on computers and network components.

The LDAP directory contains entries like the example below. The
important thing is the multiple cn :

dn: cn=testHost,ou=hosts,dc=company,dc=net
cn: testHost
cn: 10.0.0.252
uniqueMember: uid=MyUser,uid=test01,ou=users,dc=company,dc=net
objectClass: top
objectClass: groupOfUniqueNames
objectClass: extensibleObject
associatedDomain: exploitation

but pam_ldap is configured to search a member in a directory entry
with the following request
on the host 10.0.0.252 :

pam_member_attribute    uniqueMember
pam_groupdn                     cn=10.0.0.252,ou=hosts,dc=company,dc=net

And it doesn't work. Apparently it searches the cn in the dn and does
not find on the criteria of the secondary cn.
Is it a normal way of working ?

Only one value of a particular attribute may be the "distinguished value" which is used to name an entry.

I though a cn inside an entry would work either with requests like :

cn=testHost,ou=hosts,dc=company,dc=net
or
cn=10.0.0.252,ou=hosts,dc=company,dc=net

No, that's not how entry naming works.

Is it a solution to make it work like that ?

Maybe in adding an alias from one to the other dn, but it's extra
processing/constraints on the directory.
In this case, I think I need alias dereferencing ?

Yes, an alias would work here. In a decent directory one extra dereference shouldn't cost too much.

pam_ldap is fairly primitive in its support for authorization, and it also puts the authorization control in the wrong part of the administrative model. In OpenLDAP's nssov overlay (which implements both PAM and NSS) you can use the authorizedService attribute in a host entry to list what services can be used, and use the slapd ACL engine to control access (based on users, groups, sets, and everything else the ACL engine supports). See this example

http://www.openldap.org/lists/openldap-technical/200905/msg00108.html

These features are available in OpenLDAP 2.4.17 and newer. I will also be covering them in more depth in my Unified Authentication presentation at LDAPCon. (plug, plug)

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to