Hi!

We have been using a patch for libpam-ldap for a couple of years (4+)
now, and it's about time to ask for merging it in Ubuntu and/or Debian
(but starting here . Here's a description by the author (ie. not me):


- Two new configuration options:
- pam_require_fqdn, allow matching host to either fully qualified
domain name or short hostname.
- pam_require_host_group, match against freely specified hostgroup
to gain access. Looked up from host attribute.
- Can work either way at the same time

- Introduces directly LDAP speaking variants of two internal
functions, _has_deny_value / _has_value. authorizedService
and host attributes are compared on the server side, thus
allowing to set somewhat more strict ACL's to those attributes
if wanted, and possibly saving some network bandwidth..
- Disable some old code replaced by use of _ldap_cmp_has_deny_value
and _ldap_cmp_has_value.

It was sent upstream but got no feedback (link to the patch is broken
now):


http://bugzilla.padl.com/show_bug.cgi?id=172


t--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

On Fri, 1 Feb 2008, Timo Aaltonen wrote:

>
> Hi!
>
> We have been using a patch for libpam-ldap for a couple of years (4+) now,
> and it's about time to ask for merging it in Ubuntu and/or Debian (but
> starting here . Here's a description by the author (ie. not me):
>
> - Two new configuration options:
> - pam_require_fqdn, allow matching host to either fully qualified
> domain name or short hostname.
> - pam_require_host_group, match against freely specified hostgroup
> to gain access. Looked up from host attribute.
> - Can work either way at the same time
>
> - Introduces directly LDAP speaking variants of two internal
> functions, _has_deny_value / _has_value. authorizedService
> and host attributes are compared on the server side, thus
> allowing to set somewhat more strict ACL's to those attributes
> if wanted, and possibly saving some network bandwidth..
> - Disable some old code replaced by use of _ldap_cmp_has_deny_value
> and _ldap_cmp_has_value.
>
> It was sent upstream but got no feedback (link to the patch is broken now):
>
> http://bugzilla.padl.com/show_bug.cgi?id=172

Still no comments.. Ok, lets put it this way; does anyone object if I were
to upload a new version with this patch?

t

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

resending here to receive more feedback:

---------- Forwarded message ----------
Date: Fri, 01 Feb 2008 12:16:34 +0200 (EET)
From: Timo Aaltonen
To: ubuntu-server
Subject: [PATCH] new features for libpam-ldap


Hi!

We have been using a patch for libpam-ldap for a couple of years (4+) now,
and it's about time to ask for merging it in Ubuntu and/or Debian (but starting
here . Here's a description by the author (ie. not me):


- Two new configuration options:
- pam_require_fqdn, allow matching host to either fully qualified
domain name or short hostname.
- pam_require_host_group, match against freely specified hostgroup
to gain access. Looked up from host attribute.
- Can work either way at the same time

- Introduces directly LDAP speaking variants of two internal
functions, _has_deny_value / _has_value. authorizedService
and host attributes are compared on the server side, thus
allowing to set somewhat more strict ACL's to those attributes
if wanted, and possibly saving some network bandwidth..
- Disable some old code replaced by use of _ldap_cmp_has_deny_value
and _ldap_cmp_has_value.

It was sent upstream but got no feedback (link to the patch is broken now):

http://bugzilla.padl.com/show_bug.cgi?id=172


t--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

On Wed, Feb 06, 2008 at 10:13:36AM +0200, Timo Aaltonen wrote:
> On Fri, 1 Feb 2008, Timo Aaltonen wrote:

[...]

> > http://bugzilla.padl.com/show_bug.cgi?id=172
>
> Still no comments.. Ok, lets put it this way; does anyone object if I were
> to upload a new version with this patch?

I work on the principle if anyone objects, they'll speak up...

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

On Mon, 11 Feb 2008, Adam McGreggor wrote:

> On Wed, Feb 06, 2008 at 10:13:36AM +0200, Timo Aaltonen wrote:
>> On Fri, 1 Feb 2008, Timo Aaltonen wrote:
>
> [...]
>
>>> http://bugzilla.padl.com/show_bug.cgi?id=172
>>
>> Still no comments.. Ok, lets put it this way; does anyone object if I were
>> to upload a new version with this patch?
>
> I work on the principle if anyone objects, they'll speak up...

I had a chat with Rick about the patch, and there were some concerns which
are being addressed.


t

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam