Re: LDAP Auth: Require user to be in specified LDAP-group
Am Dienstag, 11. Dezember 2012, 18:12:42 schrieb Guido Winkelmann: > Am Dienstag, 11. Dezember 2012, 17:50:03 schrieb Tomasz Sterna: > > Dnia 2012-12-11, wto o godzinie 17:11 +0100, Guido Winkelmann pisze: > > > For the services I have running so far, I was able to implement this > > > by creating a new LDAP group (with objectClass: groupOfNames) for each > > > service and having every service check whether a freshly authenticated > > > user is a member of the respective group for this service before > > > granting access. > > > > Quoting > > https://github.com/jabberd2/jabberd2/blob/master/etc/c2s.xml.dist.in#L634 > > > > > > > > > > > > Isn't this wat you are looking for? > > Hm, yes, but this is in that ldap-module (as opposed to ldapfull), which has > its own problem: It does not allow me to specify the URI of the LDAP server > as free form, so I cannot use the ldapi protocol. (The ldap server is > running locally, listening on a unix socket, and I do not want to configure > it to listen on any IP sockets.) Also, I think using filters to check whether a given user is part of a given group only works with AD but not with OpenLDAP, because the latter puts group members as attributes into the group object in the form of member attributes, while the former puts group memberships into the user objects in the form of memberOf attributes. Guido
Re: LDAP Auth: Require user to be in specified LDAP-group
Am Dienstag, 11. Dezember 2012, 11:43:49 schrieb Eric V. Smith: > On 12/11/2012 11:11 AM, Guido Winkelmann wrote: > > Hi, > > > > I'm trying to integrate Jabberd2 into my single-account scheme using LDAP, > > and I'm running into problems with that. > > > > One of my requirements for this is that I need to be able to specify for > > every user exactly which services he or she is allowed to access, so > > that, for example, a user who only needs access to SMTP and IMAP services > > is not also automatically able to login via SSH or FTP. For the services > > I have running so far, I was able to implement this by creating a new > > LDAP group (with objectClass: groupOfNames) for each service and having > > every service check whether a freshly authenticated user is a member of > > the respective group for this service before granting access. > > > > Unfortunately, jabberd2 does not appear to support this (or PAM, which > > would have provided a nice workaround). > > > > Does anyone know of any other way to achieve this? > > I use pam with jabberd2: > http://www.jabberdoc.org/section04_6.html > > And in pam I require a specific group, and I'm using LDAP as the account > backend. Works like a charm. Ah, so it does work! I was going by the example config file for c2s, which did not mention pam, so I thought it just wasn't supported... Anyway, I've been reading authreg_ldapfull.c for a bit, and while I'm not very familiar with the code base yet, it looks like simply implementing the group check feature right there would not be that hard. I think I will try my luck with that, and if it doesn't work out go back to PAM.
Re: LDAP Auth: Require user to be in specified LDAP-group
Am Dienstag, 11. Dezember 2012, 17:50:03 schrieb Tomasz Sterna: > Dnia 2012-12-11, wto o godzinie 17:11 +0100, Guido Winkelmann pisze: > > For the services I have running so far, I was able to implement this > > by creating a new LDAP group (with objectClass: groupOfNames) for each > > service and having every service check whether a freshly authenticated > > user is a member of the respective group for this service before > > granting access. > > Quoting > https://github.com/jabberd2/jabberd2/blob/master/etc/c2s.xml.dist.in#L634 > > > > > Isn't this wat you are looking for? Hm, yes, but this is in that ldap-module (as opposed to ldapfull), which has its own problem: It does not allow me to specify the URI of the LDAP server as free form, so I cannot use the ldapi protocol. (The ldap server is running locally, listening on a unix socket, and I do not want to configure it to listen on any IP sockets.) Guido
Re: LDAP Auth: Require user to be in specified LDAP-group
Dnia 2012-12-11, wto o godzinie 17:11 +0100, Guido Winkelmann pisze: > For the services I have running so far, I was able to implement this > by creating a new LDAP group (with objectClass: groupOfNames) for each > service and having every service check whether a freshly authenticated > user is a member of the respective group for this service before > granting access. Quoting https://github.com/jabberd2/jabberd2/blob/master/etc/c2s.xml.dist.in#L634 Isn't this wat you are looking for?
Re: LDAP Auth: Require user to be in specified LDAP-group
On 12/11/2012 11:11 AM, Guido Winkelmann wrote: > Hi, > > I'm trying to integrate Jabberd2 into my single-account scheme using LDAP, > and > I'm running into problems with that. > > One of my requirements for this is that I need to be able to specify for > every > user exactly which services he or she is allowed to access, so that, for > example, a user who only needs access to SMTP and IMAP services is not also > automatically able to login via SSH or FTP. For the services I have running > so > far, I was able to implement this by creating a new LDAP group (with > objectClass: groupOfNames) for each service and having every service check > whether a freshly authenticated user is a member of the respective group for > this service before granting access. > > Unfortunately, jabberd2 does not appear to support this (or PAM, which would > have provided a nice workaround). > > Does anyone know of any other way to achieve this? I use pam with jabberd2: http://www.jabberdoc.org/section04_6.html And in pam I require a specific group, and I'm using LDAP as the account backend. Works like a charm. Eric.
LDAP Auth: Require user to be in specified LDAP-group
Hi, I'm trying to integrate Jabberd2 into my single-account scheme using LDAP, and I'm running into problems with that. One of my requirements for this is that I need to be able to specify for every user exactly which services he or she is allowed to access, so that, for example, a user who only needs access to SMTP and IMAP services is not also automatically able to login via SSH or FTP. For the services I have running so far, I was able to implement this by creating a new LDAP group (with objectClass: groupOfNames) for each service and having every service check whether a freshly authenticated user is a member of the respective group for this service before granting access. Unfortunately, jabberd2 does not appear to support this (or PAM, which would have provided a nice workaround). Does anyone know of any other way to achieve this? Regards, Guido
