[Fedora-directory-users] Re:Certificate authentication with SASL External
by Howard Chu
>
> From: David Boreham <david_list(a)boreham.org>
>
>> > Remember that authentication is not the same as authorization - having
>> > the valid certificate just proves who you are to the server; the
>> > server doesn't have to accord you any privileges/authorization just
>> > because of that.
>>
>
> Correct, but the OP _wanted_ to make an authorization decision for this
> identity, not just perform authentication.
>
Yes, I'm sure eventually the OP would want to make an authorization
decision, but their complaint showed that they weren't even able to get
past authentication. The fact that FDS doesn't support distributed
authentication makes the authorization question a bit moot.
> I think what he wants is to be able to use the subject DN in the
> client's cert
> directly as the bind identity for access control purposes. This isn't
> supported.
> Not because the original developers missed some grand X.500 vision, but
> because
> nobody needed to do that (and haven't for 10 years, until now...).
Personal experience tells me that many people have needed distributed
authentication in the past 10 years, and it's been used extensively in
OpenLDAP for the past 6 or so. The folks who designed LDAP plainly
didn't consider it, just as they didn't consider the majority of the
implications of true distributed operation.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
18 years, 2 months
[Fedora-directory-users] Building RPMS on 64 Bit
by Brett Elsmore
FDUG,
Has anyone had success building rpm's on 64 bit ?
I am getting the following error -
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.38067
+ umask 022
+ cd /usr/src/redhat/BUILD
+ LANG=C
+ export LANG
+ unset DISPLAY
+ echo yes
+ echo yes
+ ./setup -b /usr/src/redhat/BUILD//opt/fedora-ds
/var/tmp/rpm-tmp.38067: line 30: ./setup: No such file or directory
error: Bad exit status from /var/tmp/rpm-tmp.38067 (%install)
When I look at the spec file, like 80 states -
(echo yes ; echo yes) | ./setup -b $RPM_BUILD_ROOT/%{prefix}
Thanks for any assistance.
18 years, 2 months
[Fedora-directory-users] Re:Certificate authentication with SASL External
by Howard Chu
> From: Rob Crittenden <rcritten(a)redhat.com>
>
> Yann wrote:
>
>> Thanks Richard,
>>
>> but this howto explain how to to match DN certificate to LDAP entry... my
>> problem is; i don't want to have a corresponding entry in LDAP directory...
>>
>> I want to be identify only by the DN in the certificate, and match some ACL..
>> that all. No need to have an entry in the LDAP.
>>
>> If it's possible in DS...
>>
>
> So you want to bind to the directory server with a valid client
> certificate for a user that doesn't exist? For what purpose?
>
There is no reason to assume any connection between SASL identities and
LDAP directory entries. Moreover, in a true distributed directory
system, there's no reason to assume that an entry for a valid user is
present on every DSA in the system. Of course, the folks who developed
LDAP didn't understand this essential bit of X.500, so it's no surprise
that you're unfamiliar with distributed authentication. Remember that
authentication is not the same as authorization - having the valid
certificate just proves who you are to the server; the server doesn't
have to accord you any privileges/authorization just because of that.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
18 years, 2 months
RE: [Fedora-directory-users] Account lockout counters not replicating; how to unlock users?
by Bliss, Aaron
P.S. Normal replication is happening, as well as typical referrals from
consumer to supplier (i.e. password changes). Any help with this will
be much appreciated, as this is a rather huge problem right now. Thanks
again.
Aaron
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Bliss,
Aaron
Sent: Tuesday, February 07, 2006 5:11 PM
To: General discussion list for the Fedora Directory server project.
Subject: [Fedora-directory-users] Account lockout counters not
replicating;how to unlock users?
Here's my setup; 2 directory servers, 1 supplier, 1 consumer; I'm not
sure why, but for some reason I'm not seeing password retry counters
being replicated from the consumer to the supplier; here is what I've
seen (I have fds setup to lock accounts after 5 bad password attempts,
reset failure count after 15 minutes):
-if a user types their password incorrectly on a server that binds first
to a consumer, then their password retry count increments only on the
consumer -if a user successfully binds to the server, then their
password retry count does get reset This is a problem for a couple of
reasons. If an account becomes locked out because of bad password
attempts, I've tried deleting the attributes of passwordRetryCount and
accountUnlockTime
(http://directory.fedora.redhat.com/wiki/Howto:PasswordReset) from the
supplier, however for some reason this is not replicated to the consumer
(is this an indication of a different problem?) this is a problem as I
have some of my linux servers to look to the supplier first for
authentication, and then the consumer second, and visa versa for load
balancing. According to fds documentation, account lockout counters may
not work as expected in a multi master environment
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10864
46 ; this is one of the reasons that I opted for a single master
environment; please advise and thanks. Given the issues that I'm
having, what is the best way to unlock accounts that have been locked
due to bad password attempts?
Aaron
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the
exclusive use of the individual or entity named above and may contain
privileged or confidential information. If the reader of this message
is not the intended recipient or the employee or agent responsible to
deliver it to the intended recipient, you are hereby notified that
dissemination, distribution or copying of this information is
prohibited. If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 2 months
[Fedora-directory-users] Account lockout counters not replicating; how to unlock users?
by Bliss, Aaron
Here's my setup; 2 directory servers, 1 supplier, 1 consumer; I'm not
sure why, but for some reason I'm not seeing password retry counters
being replicated from the consumer to the supplier; here is what I've
seen (I have fds setup to lock accounts after 5 bad password attempts,
reset failure count after 15 minutes):
-if a user types their password incorrectly on a server that binds first
to a consumer, then their password retry count increments only on the
consumer
-if a user successfully binds to the server, then their password retry
count does get reset
This is a problem for a couple of reasons. If an account becomes locked
out because of bad password attempts, I've tried deleting the attributes
of passwordRetryCount and accountUnlockTime
(http://directory.fedora.redhat.com/wiki/Howto:PasswordReset) from the
supplier, however for some reason this is not replicated to the consumer
(is this an indication of a different problem?) this is a problem as I
have some of my linux servers to look to the supplier first for
authentication, and then the consumer second, and visa versa for load
balancing. According to fds documentation, account lockout counters may
not work as expected in a multi master environment
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10864
46 ; this is one of the reasons that I opted for a single master
environment; please advise and thanks. Given the issues that I'm
having, what is the best way to unlock accounts that have been locked
due to bad password attempts?
Aaron
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
18 years, 2 months
[Fedora-directory-users] autofs & FDS
by Susan
Hi, all. Is there a faq entry/how-to on how to serve automount maps with FDS?
It seems that I need the automount objectClass but where is the schema supporting that? I found
this one:
http://people.redhat.com/nalin/schema/autofs.schema
is that what folks normally use? It seems that cosine.schema is a requirement.. should I steal
that from an openldap rpm?
Can the 10rfc2307 schema be used somehow? It comes with FDS which is nice but it's got all that
nis stuff in there, not sure how relevant that would be with linux clients...
Thanks for your help.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
18 years, 2 months
Re: [Fedora-directory-users] Certificate authentication with SASL External
by Yann
Yes Bob, exactly. It's possible with DS ?
Next, ACL are in charge of give good rights access to the user....
Yann
>> Thanks Richard,
>>
>> but this howto explain how to to match DN certificate to LDAP entry... my
>> problem is; i don't want to have a corresponding entry in LDAP directory...
>>
>> I want to be identify only by the DN in the certificate, and match some ACL..
>> that all. No need to have an entry in the LDAP.
>>
>> If it's possible in DS...
>>
>
>So you want to bind to the directory server with a valid client
>certificate for a user that doesn't exist? For what purpose?
>
>rob
18 years, 2 months
[Fedora-directory-users] Re: Certificate authentication with SASL
by Yann
Yes Bob, exactly. It's possible with DS ?
Next, ACL are in charge of give good rights access to the user....
Yann
>> Thanks Richard,
>>
>> but this howto explain how to to match DN certificate to LDAP entry... my
>> problem is; i don't want to have a corresponding entry in LDAP directory...
>>
>> I want to be identify only by the DN in the certificate, and match some ACL..
>> that all. No need to have an entry in the LDAP.
>>
>> If it's possible in DS...
>>
>
>So you want to bind to the directory server with a valid client
>certificate for a user that doesn't exist? For what purpose?
>
>rob
18 years, 2 months
[Fedora-directory-users] Certificate authentication with SASL External
by Yann
Hi all !
I use Fedora Directory Server 7.1 on Solaris 9, work great :-)
I use certificate authentication on SSL with SASL external methode, work great
when the corresponding DN entry in certificate) exist in LDAP directory.
So, i tried to find a way to do that when no corresponding entry exist... but i
can't find how to...
I tried SASL mapping...
special ACL perhaps ?
I know it's possible because that work with openLDAP (or perhaps it's a bug :-)
So, anyone have succesfull bind with certificate authentication with SASL
external methode without correponding LDAP entry ?
Thanks
Yann
Log ko without entry :
[06/Feb/2006:22:13:02 +0000] conn=6 SSL 128-bit RC4; client CN=toto
titi,OU=TEST,O=TEST; issuer O=TEST
[06/Feb/2006:22:13:02 +0000] conn=6 SSL failed to map client certificate to LDAP
DN (No such object)
[06/Feb/2006:22:13:02 +0000] conn=6 op=0 BIND dn="cn=toto titi,OU=TEST,o=TEST"
method=sasl version=3 mech=EXTERNAL
[06/Feb/2006:22:13:02 +0000] conn=6 op=0 RESULT err=49 tag=97 nentries=0 etime=0
Log ok with a corresponding entry :
[06/Feb/2006:16:16:58 +0000] conn=108 SSL 128-bit RC4; client CN=toto
titi,OU=TEST,O=TEST; issuer O=TEST
[06/Feb/2006:16:16:58 +0000] conn=108 SSL client bound as cn=toto
titi,ou=TEST,o=TEST
[06/Feb/2006:16:16:58 +0000] conn=108 op=0 BIND dn="cn=toto titi,ou=TEST,o=TEST"
method=sasl version=3 mech=EXTERNAL
18 years, 2 months