Re: LDAP Auth: Require user to be in specified LDAP-group
On 12/11/2012 11:11 AM, Guido Winkelmann wrote: > Hi, > > I'm trying to integrate Jabberd2 into my single-account scheme using LDAP, > and > I'm running into problems with that. > > One of my requirements for this is that I need to be able to specify for > every > user exactly which services he or she is allowed to access, so that, for > example, a user who only needs access to SMTP and IMAP services is not also > automatically able to login via SSH or FTP. For the services I have running > so > far, I was able to implement this by creating a new LDAP group (with > objectClass: groupOfNames) for each service and having every service check > whether a freshly authenticated user is a member of the respective group for > this service before granting access. > > Unfortunately, jabberd2 does not appear to support this (or PAM, which would > have provided a nice workaround). > > Does anyone know of any other way to achieve this? I use pam with jabberd2: http://www.jabberdoc.org/section04_6.html And in pam I require a specific group, and I'm using LDAP as the account backend. Works like a charm. Eric.
Re: LDAP Auth: Require user to be in specified LDAP-group
Dnia 2012-12-11, wto o godzinie 17:11 +0100, Guido Winkelmann pisze: > For the services I have running so far, I was able to implement this > by creating a new LDAP group (with objectClass: groupOfNames) for each > service and having every service check whether a freshly authenticated > user is a member of the respective group for this service before > granting access. Quoting https://github.com/jabberd2/jabberd2/blob/master/etc/c2s.xml.dist.in#L634 Isn't this wat you are looking for?
Re: LDAP Auth: Require user to be in specified LDAP-group
Am Dienstag, 11. Dezember 2012, 17:50:03 schrieb Tomasz Sterna: > Dnia 2012-12-11, wto o godzinie 17:11 +0100, Guido Winkelmann pisze: > > For the services I have running so far, I was able to implement this > > by creating a new LDAP group (with objectClass: groupOfNames) for each > > service and having every service check whether a freshly authenticated > > user is a member of the respective group for this service before > > granting access. > > Quoting > https://github.com/jabberd2/jabberd2/blob/master/etc/c2s.xml.dist.in#L634 > > > > > Isn't this wat you are looking for? Hm, yes, but this is in that ldap-module (as opposed to ldapfull), which has its own problem: It does not allow me to specify the URI of the LDAP server as free form, so I cannot use the ldapi protocol. (The ldap server is running locally, listening on a unix socket, and I do not want to configure it to listen on any IP sockets.) Guido
Re: LDAP Auth: Require user to be in specified LDAP-group
Am Dienstag, 11. Dezember 2012, 11:43:49 schrieb Eric V. Smith: > On 12/11/2012 11:11 AM, Guido Winkelmann wrote: > > Hi, > > > > I'm trying to integrate Jabberd2 into my single-account scheme using LDAP, > > and I'm running into problems with that. > > > > One of my requirements for this is that I need to be able to specify for > > every user exactly which services he or she is allowed to access, so > > that, for example, a user who only needs access to SMTP and IMAP services > > is not also automatically able to login via SSH or FTP. For the services > > I have running so far, I was able to implement this by creating a new > > LDAP group (with objectClass: groupOfNames) for each service and having > > every service check whether a freshly authenticated user is a member of > > the respective group for this service before granting access. > > > > Unfortunately, jabberd2 does not appear to support this (or PAM, which > > would have provided a nice workaround). > > > > Does anyone know of any other way to achieve this? > > I use pam with jabberd2: > http://www.jabberdoc.org/section04_6.html > > And in pam I require a specific group, and I'm using LDAP as the account > backend. Works like a charm. Ah, so it does work! I was going by the example config file for c2s, which did not mention pam, so I thought it just wasn't supported... Anyway, I've been reading authreg_ldapfull.c for a bit, and while I'm not very familiar with the code base yet, it looks like simply implementing the group check feature right there would not be that hard. I think I will try my luck with that, and if it doesn't work out go back to PAM.
Re: LDAP Auth: Require user to be in specified LDAP-group
Am Dienstag, 11. Dezember 2012, 18:12:42 schrieb Guido Winkelmann: > Am Dienstag, 11. Dezember 2012, 17:50:03 schrieb Tomasz Sterna: > > Dnia 2012-12-11, wto o godzinie 17:11 +0100, Guido Winkelmann pisze: > > > For the services I have running so far, I was able to implement this > > > by creating a new LDAP group (with objectClass: groupOfNames) for each > > > service and having every service check whether a freshly authenticated > > > user is a member of the respective group for this service before > > > granting access. > > > > Quoting > > https://github.com/jabberd2/jabberd2/blob/master/etc/c2s.xml.dist.in#L634 > > > > > > > > > > > > Isn't this wat you are looking for? > > Hm, yes, but this is in that ldap-module (as opposed to ldapfull), which has > its own problem: It does not allow me to specify the URI of the LDAP server > as free form, so I cannot use the ldapi protocol. (The ldap server is > running locally, listening on a unix socket, and I do not want to configure > it to listen on any IP sockets.) Also, I think using filters to check whether a given user is part of a given group only works with AD but not with OpenLDAP, because the latter puts group members as attributes into the group object in the form of member attributes, while the former puts group memberships into the user objects in the form of memberOf attributes. Guido
Re: LDAP Auth: Require user to be in specified LDAP-group
This patch appears to work. Note, I have only done superficial testing (checked that I can log in as a user who is in the specified group and that I can not log in as one that is not in this group). I have not tested this against AD, only OpenLDAP. This patch applies to 2.2.17, but not to git-master. Guidodiff -rup jabberd-2.2.17-orig/etc/c2s.xml.dist.in jabberd-2.2.17/etc/c2s.xml.dist.in --- jabberd-2.2.17-orig/etc/c2s.xml.dist.in 2012-05-22 22:27:51.0 +0200 +++ jabberd-2.2.17/etc/c2s.xml.dist.in 2012-12-12 16:39:54.490003311 +0100 @@ -546,6 +546,15 @@ + + + +
Re: LDAP Auth: Require user to be in specified LDAP-group
The same patch for git master.>From 559475a60dbe5a793f2632f5abb723ec19bedc07 Mon Sep 17 00:00:00 2001 From: Guido Winkelmann Date: Thu, 13 Dec 2012 00:57:10 +0100 Subject: [PATCH] ldapfull: Check for ldap group membership on login Administrators can now supply a configuration directive. If it is given, only users who are members of this group will be allowed to login --- etc/c2s.xml.dist.in|9 + storage/authreg_ldapfull.c | 82 --- 2 files changed, 85 insertions(+), 6 deletions(-) diff --git a/etc/c2s.xml.dist.in b/etc/c2s.xml.dist.in index eb402d5..6626b43 100644 --- a/etc/c2s.xml.dist.in +++ b/etc/c2s.xml.dist.in @@ -563,6 +563,15 @@ + + + +
Re: LDAP Auth: Require user to be in specified LDAP-group
Ah, nobody use that yet, please. I just realized I forgot some ldap_memfree() calls in _ldapfull_check_password(), so this will probably leak memory... Am Donnerstag, 13. Dezember 2012, 14:47:12 schrieb Guido Winkelmann: > The same patch for git master.
Re: LDAP Auth: Require user to be in specified LDAP-group
The first patch had a memory leak. Am Mittwoch, 12. Dezember 2012, 17:07:34 schrieb Guido Winkelmann: > This patch appears to work. Note, I have only done superficial testing > (checked that I can log in as a user who is in the specified group and that > I can not log in as one that is not in this group). I have not tested this > against AD, only OpenLDAP. > > This patch applies to 2.2.17, but not to git-master. > > Guidodiff -rup jabberd-2.2.17-orig/etc/c2s.xml.dist.in jabberd-2.2.17/etc/c2s.xml.dist.in --- jabberd-2.2.17-orig/etc/c2s.xml.dist.in 2012-05-22 22:27:51.0 +0200 +++ jabberd-2.2.17/etc/c2s.xml.dist.in 2012-12-12 16:39:54.490003311 +0100 @@ -546,6 +546,15 @@ + + + +
Re: LDAP Auth: Require user to be in specified LDAP-group
Dnia 2012-12-13, czw o godzinie 18:42 +0100, Guido Winkelmann pisze: > The first patch had a memory leak. > > Am Mittwoch, 12. Dezember 2012, 17:07:34 schrieb Guido Winkelmann: > > This patch appears to work. Note, I have only done superficial testing > > (checked that I can log in as a user who is in the specified group and that > > I can not log in as one that is not in this group). I have not tested this > > against AD, only OpenLDAP. > > > > This patch applies to 2.2.17, but not to git-master. I applied the diff between patches to git-master patch and applied it at https://github.com/jabberd2/jabberd2/commit/27811996d6ee3b02cf2ab8e80034e6a18ad881e7 Thank you for your contribution. :-) -- Tomasz Sterna Instant Messaging Consultant : Open Source Developer http://tomasz.sterna.tv/ http://www.xiaoka.com/portfolio
two ldap modules (Re: LDAP Auth: Require user to be in specified LDAP-group)
I compared the two ldap modules here: http://www.mail-archive.com/jabberd2@lists.xiaoka.com/msg01381.html (Was it really three years ago??) Is there any reason to maintain both? What does "full" mean in ldapfull? Justin On Wed, Dec 12, 2012 at 05:07:34PM +0100, Guido Winkelmann wrote: > This patch appears to work. Note, I have only done superficial testing > (checked that I can log in as a user who is in the specified group and that I > can not log in as one that is not in this group). I have not tested this > against AD, only OpenLDAP. > > This patch applies to 2.2.17, but not to git-master. > > Guido > diff -rup jabberd-2.2.17-orig/etc/c2s.xml.dist.in > jabberd-2.2.17/etc/c2s.xml.dist.in > --- jabberd-2.2.17-orig/etc/c2s.xml.dist.in 2012-05-22 22:27:51.0 > +0200 > +++ jabberd-2.2.17/etc/c2s.xml.dist.in2012-12-12 16:39:54.490003311 > +0100 > @@ -546,6 +546,15 @@ > > + > + > + > + > >
Re: two ldap modules (Re: LDAP Auth: Require user to be in specified LDAP-group)
Dnia 2012-12-12, śro o godzinie 09:40 -0700, Justin T Pryzby pisze: > Is there any reason to maintain both? Not really. The lack of knowledge of LDAP prevented me from merging these, but I didn't want to reject this usefull user submition, so I merged it as-is. If anyone is willing to make effort to merge these modules, without loosing any functionality (especially option to use both methods of checking user authority - binding and reading password) I will gladly accept patches. > What does "full" mean in ldapfull? Nothing that I know of. Just a distinct name from the other ldap storage implementation.
Re: two ldap modules (Re: LDAP Auth: Require user to be in specified LDAP-group)
Am Mittwoch, 12. Dezember 2012, 09:40:49 schrieb Justin T Pryzby: > I compared the two ldap modules here: > http://www.mail-archive.com/jabberd2@lists.xiaoka.com/msg01381.html > (Was it really three years ago??) > > Is there any reason to maintain both? What does "full" mean in > ldapfull? At a guess, this might be for forward compatibility for configuration files. ldap and ldapfull are not configured exactly the same way, so if you merge them (and maybe make ldapfull a synonym for ldap), someone's configuration will inevitably break, especially if they install the update without thoroughly reading the changelog. Two examples off the top of my head: - ldapfull specifies the LDAP server to use as a free form URI, which it just passes on unchanged to the underlying API (which is IMHO the way it should be done), while ldap takes host and port as two separate directives - ldap supports custom filters, ldapfull does not Guido
