Hi Nathan, On 17/gen/2014, at 20:51, Nathan Kinder <nkin...@redhat.com> wrote:
> On 01/16/2014 07:13 AM, Paolo Barbato wrote: >> >> On 16/gen/2014, at 15:52, Rich Megginson <rmegg...@redhat.com> wrote: >> >>> On 01/16/2014 07:48 AM, Paolo Barbato wrote: >>>> Hi Rich, >>>> >>>> On 16/gen/2014, at 15:28, Rich Megginson <rmegg...@redhat.com> wrote: >>>> >>>>> On 01/16/2014 12:56 AM, Paolo Barbato wrote: >>>>>> Thanks for replies, I think I need to better describe what I'm testing. >>>>>> >>>>>> As I said I've a central repository for credentials accessible via ldaps. >>>>>> >>>>>> 389dirsvr stores some information, but before get them I need that a >>>>>> user authenticate on the central repository. >>>>>> >>>>>> So I've activated and configured PAM Pass Through Authentication >>>>>> Plug-in, and following instructions creating a specific >>>>>> /etc/pam.d/ldapserver as well as /etc/pam_ldap.conf >>>>>> >>>>>> This is working, I mean that if I type >>>>>> >>>>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "uid=myUser" -W -x >>>>>> >>>>>> the PAM PTA strips myUser from binddn and use that as login username for >>>>>> PAM. >>>>>> >>>>>> Let me just say that in production I'll use a different repository based >>>>>> on Active DIrectory, so probably I'll use SSSD, as you suggest. >>>>>> >>>>>> The problem. >>>>>> >>>>>> If I use a command like >>>>>> >>>>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "myUser" -W -x >>>>>> >>>>>> it fails, since 389dirsrv makes a syntax check on binddn before pass >>>>>> stripped myUser value to PAM PTA >>>>>> >>>>>> This is really trye since I do not any attempt on ldap central >>>>>> repository access logs. >>>>>> >>>>>> Here my question : is it mandatory using as binddn (-D) a syntax like >>>>>> uid=myUser or cn=myUser, or is it possible to configure 389dirsrv to >>>>>> rewrite myUser in uid=myUser before process it ? >>>>> No. The argument to -D must be a DN. >>>>> >>>> I suspect that, so you confirm that such a syntax control is performed by >>>> 389dirsrv . >>> Yes. You can disable syntax and DN syntax checking, but that is strongly >>> discouraged. >>>> >> ok ! >>>>> There are SASL mechanisms that take a username instead of a DN. >>>>> >>>> Yes, I've tried that way using openldap and saslauthd, but also in that >>>> deployment I must always use uid=myUser as DN, since control syntax >>>> prevails. >>> >>> There are SASL mechanisms that allow you to use a username and not a bind >>> DN. This should work with 389 and openldap and other directory servers >>> that support those SASL mechanisms. In that case, you do not use -D >>> "bind=dn" >>> >> >> I've to further investigate this way.... >> >>>> >>>> In my lab I use Stalker CGPro as mailer, that allow ldap bind, for example >>>> from thunderbird address book client, using only a username as bind dn. >>> >>> I wonder if that is an AD-ism? One of the many ways that AD violates LDAP >>> is that it allows non-DNs to be used with -D. >>> >> Oh yes could be really that. So that ldap server get the username from -D >> non-DN without any particular check, and lookup for a match in the default >> subtree. Is that really so dangerous ? > > For thunderbird, I suspect the client side does an anonymous search for > "uid=<username>" to find the full bind DN, which it then uses to perform > the bind. > from access and error log files it seems that bind is tried first, no anonymous lookup, and fails. I've used barbato as Bind DN in thunderbird ...same behavior if I try osx (10.9.1) Contacts app. error.log [20/Jan/2014:08:27:44 +0100] pam_passthru-plugin - Bind DN [barbato] is invalid or not found [20/Jan/2014:08:27:44 +0100] pam_passthru-plugin - <= handled (error 32 - No such object) access.log[20/Jan/2014:08:27:44 +0100] conn=1 fd=64 slot=64 SSL connection from 150.178.3.7 to 192.168.60.23 [20/Jan/2014:08:27:44 +0100] conn=1 op=0 BIND dn="barbato" method=128 version=3 [20/Jan/2014:08:27:44 +0100] conn=1 op=0 RESULT err=32 tag=97 nentries=0 etime=0 So I thing Rich was right ...check syntax is tried first, and it's not possible rewrite bind dn before syntax check. Regards, Paolo. >> >> Regards, >> Paolo. >> >>>> >>>> Regards, >>>> Paolo. >>>> >>>> >>>>>> >>>>>> Regards, >>>>>> Paolo. >>>>>> >>>>>> >>>>>> >>>>>> On 15/gen/2014, at 23:13, Dan Lavu <d...@lavu.net> wrote: >>>>>> >>>>>>> Why are you using pam passthrough, what are you using as your >>>>>>> authentication mechanism? SSSD has all commonly implemented >>>>>>> authentication mechanisms. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 01/15/2014 12:54 PM, Jonathan Vaughn wrote: >>>>>>>> If you want to be able to map the simple username "myUser" to say, >>>>>>>> "uid=myUser,cn=Users,dc=mycompany,dc=net", you probably are best off >>>>>>>> using SSSD to handle that. >>>>>>>> SSSD can be configured to know where to search and how to apply the >>>>>>>> supplied username to the search (i.e. to look for anything under >>>>>>>> cn=Users,dc=mycompany,dc=net where uid=[the supplied username]). >>>>>>>> >>>>>>>> SSSD in turn provides a PAM module to talk to the SSSD daemon itself, >>>>>>>> which is where you can hook up your PAM passthrough authentication. >>>>>>>> >>>>>>>> i.e., we use SSSD for SSO login to our Linux machines, and have the >>>>>>>> following lines (in addition to the usual stuff) in our >>>>>>>> pam.d/password-auth : >>>>>>>> >>>>>>>> auth sufficient pam_sss.so use_first_pass >>>>>>>> account [default=bad success=ok user_unknown=ignore] pam_sss.so >>>>>>>> password sufficient pam_sss.so use_authtok >>>>>>>> session optional pam_sss.so >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Jan 15, 2014 at 3:46 AM, Paolo Barbato >>>>>>>> <paolo.barb...@igi.cnr.it> wrote: >>>>>>>> Hi 389-users, >>>>>>>> >>>>>>>> I'm testing last released 389 dirsrv on a rhel 6.5. >>>>>>>> >>>>>>>> I've deployed a PAM passthrough, since I have a central repository for >>>>>>>> credentials, and it works. >>>>>>>> >>>>>>>> I guess if it would be possible to use a simple username or it's >>>>>>>> mandatory use syntax like uid=myuser (or cn=..) as bind dn. >>>>>>>> >>>>>>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "uid=myUser" -W -x >>>>>>>> works >>>>>>>> >>>>>>>> ldapsearch -v -LLL -Hldaps://my389 -b"dc=myDC" -D "myUser" -W -x >>>>>>>> doesn't work >>>>>>>> >>>>>>>> ldap_bind: No such object (32) >>>>>>>> additional info: Bind DN [myUser] is invalid or not found >>>>>>>> >>>>>>>> So the question is if would be possible rewrite in some way the bind >>>>>>>> dn before syntax check. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Paolo. >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------------------------ >>>>>>>> Paolo Barbato >>>>>>>> >>>>>>>> Consorzio RFX >>>>>>>> corso Stati Uniti,4 >>>>>>>> >>>>>>>> Network Administrator >>>>>>>> phone: +39 049 8295097 fax: +39 049 8700718 >>>>>>>> ------------------------------------------------------------------------------------------------ >>>>>>>> >>>>>>>> -- >>>>>>>> 389 users mailing list >>>>>>>> 389-users@lists.fedoraproject.org >>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> 389 users mailing list >>>>>>>> >>>>>>>> 389-users@lists.fedoraproject.org >>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>>>> -- >>>>>>> 389 users mailing list >>>>>>> 389-users@lists.fedoraproject.org >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>>> ------------------------------------------------------------------------------------------------ >>>>>> Paolo Barbato >>>>>> >>>>>> Consorzio RFX >>>>>> corso Stati Uniti,4 >>>>>> 35127 Padova - Italy >>>>>> Network Administrator >>>>>> phone: +39 049 8295097 fax: +39 049 8700718 >>>>>> ------------------------------------------------------------------------------------------------ >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@lists.fedoraproject.org >>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@lists.fedoraproject.org >>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>> ------------------------------------------------------------------------------------------------ >>>> Paolo Barbato >>>> >>>> Consorzio RFX >>>> corso Stati Uniti,4 >>>> 35127 Padova - Italy >>>> Network Administrator >>>> phone: +39 049 8295097 fax: +39 049 8700718 >>>> ------------------------------------------------------------------------------------------------ >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users@lists.fedoraproject.org >>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> >>> -- >>> 389 users mailing list >>> 389-users@lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >> >> ------------------------------------------------------------------------------------------------ >> Paolo Barbato >> >> Consorzio RFX >> corso Stati Uniti,4 >> 35127 Padova - Italy >> Network Administrator >> phone: +39 049 8295097 fax: +39 049 8700718 >> ------------------------------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users ------------------------------------------------------------------------------------------------ Paolo Barbato Consorzio RFX corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718 ------------------------------------------------------------------------------------------------ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
