Re: LDAP Help

Thanks for the pointers. I've finally gotten (somewhat of) an understanding
of how all this is fitting together. I'm still waiting the group that admins
our UA LDAP directory to put in a nice, friendly, username. We have one
alphanumeric ID that's rather ugly (1PDH3JZL01 for me) and a numeric ID.
Soon, a System ID will be added that will be first initial middle initial
last name. I'll be able to use that as a user name. Will be much nicer.

So at any rate, thanks for your help...this should get me going.

j----- k-----

On Monday 21 March 2005 23:45, David Syzdek wrote:
> Jashua,
>
> The source code for the pam_ldap module from
> http://www.padl.com/OSS/pam_ldap.html has an example LDAP configuration
> file called ldap.conf. The example is fairly well documented, however
> it does assume that you are familiar with LDAP and your schema.
>
> The string `1PDH3JZL01' is not the DN for your user, although it is
> likely part of the DN. For instance iPlanet Messaging server uses a
> unique key when creating personal address book entries. Here is an
> example entry from my address book:
>
> dn: un=syzdek3212,ou=syzdek,ou=People,o=mosquitonet.com,o=isp,o=pab
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: pabperson
> givenName: David
> sn: Syzdek
> cn: David Syzdek
> memberOfPAB: AddressBook001
> mail: syzdek@mosquitonet.com
> un:syzdek3212
>
> You do not have to key off of information in the DN to find a specific
> entry. For example I could use the following ldapsearch sequence to find
> the above entry in my company's LDAP server:
>
> bash$ ldapsearch -LLL -h localhost -p 389 \
>
> > -D "uid=syzdek,ou=People,o=isp" -W -s one \
> > ou=syzdek,ou=People,o=mosquitonet.com,o=isp,o=pab \
> > '(sn=syzdek)'
>
> Enter LDAP Password:
> dn: un=syzdek3212,ou=syzdek,ou=People,o=mosquitonet.com,o=isp,o=pab
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: pabperson
> givenName: David
> sn: Syzdek
> cn: David Syzdek
> memberOfPAB: AddressBook001
> mail: syzdek@mosquitonet.com
> un:syzdek3212
>
> bash$
>
> Notice that I never mentioned `syzdek3212' in the command line arguments
> for ldapsearch even though it is a part of the DN.
>
> In your case, let's suppose that the full DN for your user that has an
> internal ID of `1PDH3JZL01' is:
>
> dn: employee=1PDH3JZL01,ou=people,dc=mycompany,dc=com
>
> Let's also suppose that you wish to auth against the user's e-mail
> address which is stored as a value in the attribute `mail'.
>
> You would want to use the following config directives (note that this is
> not a complete config):
>
> base ou=people,dc=mycompany,dc=com
> # Commenting out the binddn and bindpw
> # directives causes the LDAP pam module
> # to perform an anonymous bind
> #binddn cn=proxyuser,dc=padl,dc=com
> #bindpw secret
> #
> # Filter to AND with uid=%s
> #pam_filter objectclass=account
> #
> # The user ID attribute (defaults to uid)
> pam_login_attribute mail
>
> This will most likely not be the only mangling of the config you will
> have to do, however without an example LDIF from one of your users this
> will have to do for now.
>
> In addition you might want to look at this document for how to install
> the module:
>
> http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/pamnss.html
>
> If you submit an example LDIF, I will be more than happy to help you
> hash out the remaining config directives if I can.
>
> I hope this helped and good luck with pam configs.
>
> --David Syzdek
>
> On Mon, 2005-03-21 at 09:11 -0900, Joshua Kugler wrote:
> > Hello all -
> >
> > I have a server on which I would like to athenticate users via our
> > enterprise LDAP server. This is probably a matter of being pointed to
> > the right docs, but initial googling hasn't gotten me anywhere.
> >
> > My situation is probably a bit different than most in that we need to
> > do a "two phase" bind.
> >
> > All users in the directory have a unique ID. Mine is 1PDH3JZL01.
> > Understandably, users don't want to type this in every time they
> > login, and most don't even know theirs since it's an internal ID used
> > to keep things unique. Thus, the user when enter another piece of
> > unique information, such their e-mail address, corporation username,
> > or user ID which is an eight digit number. None of these are the DN,
> > only "1PDH3JZL01" (in my case) is the DN.
> >
> > Well, what has to happen is this:
> >
> > Enter coporation username
> > Anonymous bind to lookup dn (distinguishing name) from LDAP server
> > Bind a second time with the found dn as well as the supplied password
> > If second bind succeeds, the user is authenticated. If not, login
> > fails.
> >
> > It seems, though that pam_ldap only wants to do a single phase bind,
> > thus I'm stuck.
> >
> > Also, there is are pam_login_* directives in /etc/ldap.conf, but I
> > can't seem to find any man pages or other docs
> > (/usr/share/doc/pam_ldap-170 doesn't have anything), and I can't find
> > the relevant docs on http://www.padl.com/OSS/pam_ldap.html .
> >
> > Does anyone have any tips or pointers?
> >
> > Thanks!
> >
> > j----- k-----
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.

-- 
Joshua Kugler
CDE System Administrator
http://distance.uaf.edu/
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.