Re: LDAP Help

Jashua,

The source code for the pam_ldap module from
http://www.padl.com/OSS/pam_ldap.html has an example LDAP configuration
file called ldap.conf. The example is fairly well documented, however
it does assume that you are familiar with LDAP and your schema.

The string `1PDH3JZL01' is not the DN for your user, although it is
likely part of the DN. For instance iPlanet Messaging server uses a
unique key when creating personal address book entries. Here is an
example entry from my address book:

dn: un=syzdek3212,ou=syzdek,ou=People,o=mosquitonet.com,o=isp,o=pab
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: pabperson
givenName: David
sn: Syzdek
cn: David Syzdek
memberOfPAB: AddressBook001
mail: syzdek@mosquitonet.com
un:syzdek3212

You do not have to key off of information in the DN to find a specific
entry. For example I could use the following ldapsearch sequence to find
the above entry in my company's LDAP server:

bash$ ldapsearch -LLL -h localhost -p 389 \
> -D "uid=syzdek,ou=People,o=isp" -W -s one \
> ou=syzdek,ou=People,o=mosquitonet.com,o=isp,o=pab \
> '(sn=syzdek)'
Enter LDAP Password:
dn: un=syzdek3212,ou=syzdek,ou=People,o=mosquitonet.com,o=isp,o=pab
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: pabperson
givenName: David
sn: Syzdek
cn: David Syzdek
memberOfPAB: AddressBook001
mail: syzdek@mosquitonet.com
un:syzdek3212

bash$

Notice that I never mentioned `syzdek3212' in the command line arguments
for ldapsearch even though it is a part of the DN.

In your case, let's suppose that the full DN for your user that has an
internal ID of `1PDH3JZL01' is:

dn: employee=1PDH3JZL01,ou=people,dc=mycompany,dc=com

Let's also suppose that you wish to auth against the user's e-mail
address which is stored as a value in the attribute `mail'.

You would want to use the following config directives (note that this is
not a complete config):

base ou=people,dc=mycompany,dc=com
# Commenting out the binddn and bindpw
# directives causes the LDAP pam module
# to perform an anonymous bind
#binddn cn=proxyuser,dc=padl,dc=com
#bindpw secret
#
# Filter to AND with uid=%s
#pam_filter objectclass=account
#
# The user ID attribute (defaults to uid)
pam_login_attribute mail

This will most likely not be the only mangling of the config you will
have to do, however without an example LDIF from one of your users this
will have to do for now.

In addition you might want to look at this document for how to install
the module:

http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/pamnss.html

If you submit an example LDIF, I will be more than happy to help you
hash out the remaining config directives if I can.

I hope this helped and good luck with pam configs.

--David Syzdek

On Mon, 2005-03-21 at 09:11 -0900, Joshua Kugler wrote:
> Hello all -
>
> I have a server on which I would like to athenticate users via our
> enterprise LDAP server. This is probably a matter of being pointed to
> the right docs, but initial googling hasn't gotten me anywhere.
>
> My situation is probably a bit different than most in that we need to
> do a "two phase" bind.
>
> All users in the directory have a unique ID. Mine is 1PDH3JZL01.
> Understandably, users don't want to type this in every time they
> login, and most don't even know theirs since it's an internal ID used
> to keep things unique. Thus, the user when enter another piece of
> unique information, such their e-mail address, corporation username,
> or user ID which is an eight digit number. None of these are the DN,
> only "1PDH3JZL01" (in my case) is the DN.
>
> Well, what has to happen is this:
>
> Enter coporation username
> Anonymous bind to lookup dn (distinguishing name) from LDAP server
> Bind a second time with the found dn as well as the supplied password
> If second bind succeeds, the user is authenticated. If not, login
> fails.
>
> It seems, though that pam_ldap only wants to do a single phase bind,
> thus I'm stuck.
>
> Also, there is are pam_login_* directives in /etc/ldap.conf, but I
> can't seem to find any man pages or other docs
> (/usr/share/doc/pam_ldap-170 doesn't have anything), and I can't find
> the relevant docs on http://www.padl.com/OSS/pam_ldap.html .
>
> Does anyone have any tips or pointers?
>
> Thanks!
>
> j----- k-----
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Mar 21 23:45:23 2005