Requesting community opinion regarding security/pam_ldap groupdn
and member_attribute
Valentin Bud
valentin.bud at gmail.com
Fri Apr 16 12:45:14 UTC 2010
Hello community,
I am working these days on implementing a centralized
authentication/authorization service
for all the FBSD servers I have. I am using OpenLDAP to store the user and
GOsa
(https://oss.gonicus.de/) as a web frontend to administer the directory.
To enable SSH/console authentication from LDAP I noticed that one can use
security/pam_ldap from ports
and net/nss_ldap so that the name service switch can get groups/passwd info
from LDAP too.
I have successfully configured OpenLDAP and created a user as follows:
dn: cn=Valentin BUD,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
sn: BUD
givenName: Valentin
uid: mtx
cn: Valentin BUD
homeDirectory: /home/mtx
loginShell: /bin/tcsh
uidNumber: 5001
gidNumber: 5001
gecos: Valentin BUD
and a posixGroup as follows:
dn: cn=ssh,ou=groups,ou=people,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: ssh
gidNumber: 7000
description: SSH allowed users
memberUid: mtx
I have configured pam_ldap to honor group membership using
pam_groupdn cn=ssh,ou=groups,ou=people,dc=example,dc=com
pam_member_attribute memberUid
The problem is that pam_ldap wants the memberUid attribute to contain the
user's DN and there is
no option to change this behavior.
My question is: what is the argument behind this and do you think it should
stay this way or
could it be changed?
In my case I really need pam_ldap to check just for UID not DN of a user in
memberUid attribute.
I have asked our friend google what does he has to say about this and found
out that
there is a patch on Debian which can be found here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341541
that gives the user the possibility to choose if the memberUid attribute
holds the DN or UID.
I would really like that feature so I have patched pam_ldap to no success
and since my C programming
skills are close to none I am stuck.
Would you people think that the above patch would be useful? Please argument
on this. How
can I/we make that patch work?
Thank you very much and a great day,
v
--
network warrior since 2005
More information about the freebsd-questions
mailing list