Realize that pam_groupdn basically means: basedn: cn=testHost,ou=hosts,dc=company,dc=net scope: base filter: (uniqueMember=uid=MyUser,*)
I think you're making this more difficult than it really is. :) If memory serves, pam_ldap also lets you search based on an attribute assigned to a user (correct me if I'm wrong--I haven't used pam_ldap is a long time since we are a VAR for Centrify which makes this a lot easier). Anyway, if this is the case, then it's something like: pam_search_attribute serverAccess: (I made that keyword up, but you get the idea). dn: uid=user,... serverAccess: testHost -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Chris Berger Sent: Thursday, August 06, 2009 9:26 AM To: Dustin Puryear Cc: [email protected] Subject: Re: [ldap] Re: multiple cn Hi Dustin, Thanks for your answer. In fact, it may be the solution I'll choose, but I'd like to understand and find a solution which allows to search in the cn attributes of an entry. In fact, I would like the both to work together :) Is there no solution to search in attributes ? I may go upper in the base dn "ou=hosts,dc=company,dc=net" and search for an entry with cn=<hostname or IP> and uniqueMember=<uid of person> ? using this with pam_ldap will be more complex, but i'll see that later... I did test this with ldapsearch : base dn "ou=hosts,dc=cirra,dc=net" filter "(&(objectClass=groupofUniqueNames)(cn=testHost)(uniqueMember=uid=MyUser))" but it doesn't work, I have to use the complete path of the user to get a result (uid=MyUser,uid=test01,ou=users,dc=company,dc=net) and that will not work with pam_ldap I think, paths/groups may be differents from one user to another. I wonder if ldap supports search in attributes ? Thanks Chris On Thu, Aug 6, 2009 at 3:48 PM, Dustin Puryear<[email protected]> wrote: > Hi Chris! > > You are confusing the DN with attributes. The DN is the unique name of > the entry, and in this case is: > > cn=testHost,ou=hosts,dc=company,dc=net. > > No matter what attributes you have in the entry, the DN will not change. > Just like your name is "Chris Berger", even if you change your socks and > wear a different shirt for the day. Your name is still "Chris Berger". > The same with the DN of an entry. > > To put another way: You said "The important thing is the multiple cn." > In fact, that sentence should be "The irrelevant thing is the multiple > cn." > > So, change: > > pam_groupdn cn=10.0.0.252,ou=hosts,dc=company,dc=net > > To: > > pam_groupdn cn=testHost,ou=hosts,dc=company,dc=net > > That should resolve the issue for you. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Chris > Berger > Sent: Thursday, August 06, 2009 7:58 AM > To: [email protected] > Subject: [ldap] Re: multiple cn > > Hi, > > I have a question regarding LDAP structure and multiple cn of entries. > My context : the directory is used by pam_ldap and freeradius for > authentication on computers and network components. > > The LDAP directory contains entries like the example below. The > important thing is the multiple cn : > > dn: cn=testHost,ou=hosts,dc=company,dc=net > cn: testHost > cn: 10.0.0.252 > uniqueMember: uid=MyUser,uid=test01,ou=users,dc=company,dc=net > objectClass: top > objectClass: groupOfUniqueNames > objectClass: extensibleObject > associatedDomain: exploitation > > but pam_ldap is configured to search a member in a directory entry > with the following request > on the host 10.0.0.252 : > > pam_member_attribute uniqueMember > pam_groupdn cn=10.0.0.252,ou=hosts,dc=company,dc=net > > And it doesn't work. Apparently it searches the cn in the dn and does > not find on the criteria of the secondary cn. > Is it a normal way of working ? > I though a cn inside an entry would work either with requests like : > > cn=testHost,ou=hosts,dc=company,dc=net > or > cn=10.0.0.252,ou=hosts,dc=company,dc=net > > Is it a solution to make it work like that ? > > Maybe in adding an alias from one to the other dn, but it's extra > processing/constraints on the directory. > In this case, I think I need alias dereferencing ? > > Thanks for your help > > > Chris
