FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 10-15-2010, 02:57 PM
Gerrard Geldenhuis
 
Default Greedy PAM

Hi
Not strictly a 389 question but maybe 389 offers a solution.

I have a tree structure as follows:
dc=company
ou=people,dc=company
ou=groups,dc=company

On my client the I have the following searchbase in /etc/ldap.conf
dc=company

If I login as user gerrard and look at the network traffic then every possible user is send to the client. This is not a problem yet but would be a problem on a slow link or with lots of users.

Changing the base to ou=people,dc=company works in that the search results returned is way smaller, but breaks everything else because group membership is not in that base.

Is there a way to dynamically have search basis when queries for certain data is done. How do you configure clients to be more selective when doing searches against a ldap directory.

Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 10-15-2010, 03:12 PM
Daniel Maher
 
Default Greedy PAM

On 10/15/2010 04:57 PM, Gerrard Geldenhuis wrote:

> Is there a way to dynamically have search basis when queries for certain data is done.

Yes.

> How do you configure clients to be more selective when doing searches against a ldap directory.

It depends entirely on the software doing the query. Here's an example
from one of my Apache HTTPd configs :

AuthLDAPURL
"ldap://<server>/ou=People,dc=franceix,dc=net?uid??(|(gidNumber=100 00)(gidNumber=11000))"


--
Daniel Maher <dma + 389users AT witbe DOT net>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 10-19-2010, 09:07 AM
Gerrard Geldenhuis
 
Default Greedy PAM

>________________________________________
>From: 389-users-bounces@lists.fedoraproject.org [389-users-bounces@lists.fedoraproject.org] on behalf of Daniel Maher [dma+389users@witbe.net]
>Sent: 15 October 2010 16:12
>To: 389-users@lists.fedoraproject.org
>Subject: Re: [389-users] Greedy PAM
>
>On 10/15/2010 04:57 PM, Gerrard Geldenhuis wrote:
>
>> Is there a way to dynamically have search basis when queries for certain data is done.
>
>Yes.
>
>> How do you configure clients to be more selective when doing searches against a ldap directory.
>
>It depends entirely on the software doing the query. Here's an example
>from one of my Apache HTTPd configs :
>
>AuthLDAPURL
>"ldap://<server>/ou=People,dc=franceix,dc=net?uid??(|(gidNumber=100 00)(gidNumber=11000))"

Thanks, I have addded the following filters for PAM in /etc/ldap.conf

nss_base_passwd ou=people,dc=mycompany?sub
nss_base_group ou=Groups,dc=mycompany?sub
nss_base_group ou=PrivateGroups,dc=mycompany?sub
nss_base_group ou=SystemGroups,dc=mycompany?sub

It works kind of but what I don't understand is that when a client authenticates against the directory server I see a ldapsearch request in wireshark for every single user. I am not sure if this a misconfiguration on my side or if PAM_LDAP is being greedy/lazy/buggy or where else the problem lies. I see a succesfull result for every ldap search request in LDAP so I am not sure why every user would need to be queried if only one user needs to authenticate.


We use a seperate user to speak to the Directory specified in /etc/ldap.conf. I am not sure if that would make a difference.

binddn uid=SysAuth,ou=Service Accounts,dc=mycompany

Any thoughts would be appreciated and suggestions for a nice tool to analyze LDAP conversations would be much appreciated. I am playing with dsniff and netsniff-ng.

Best Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 03:34 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org