________________________________________
From: 389-users-bounces(a)lists.fedoraproject.org
[389-users-bounces(a)lists.fedoraproject.org] on behalf of Daniel Maher
[dma+389users(a)witbe.net]
Sent: 15 October 2010 16:12
To: 389-users(a)lists.fedoraproject.org
Subject: Re: [389-users] Greedy PAM
On 10/15/2010 04:57 PM, Gerrard Geldenhuis wrote:
> Is there a way to dynamically have search basis when queries for certain data is
done.
Yes.
> How do you configure clients to be more selective when doing searches against a ldap
directory.
It depends entirely on the software doing the query. Here's an example
from one of my Apache HTTPd configs :
AuthLDAPURL
"ldap://<server>/ou=People,dc=franceix,dc=net?uid??(|(gidNumber=10000)(gidNumber=11000))"
Thanks, I have addded the following filters for PAM in /etc/ldap.conf
nss_base_passwd ou=people,dc=mycompany?sub
nss_base_group ou=Groups,dc=mycompany?sub
nss_base_group ou=PrivateGroups,dc=mycompany?sub
nss_base_group ou=SystemGroups,dc=mycompany?sub
It works kind of but what I don't understand is that when a client authenticates
against the directory server I see a ldapsearch request in wireshark for every single
user. I am not sure if this a misconfiguration on my side or if PAM_LDAP is being
greedy/lazy/buggy or where else the problem lies. I see a succesfull result for every ldap
search request in LDAP so I am not sure why every user would need to be queried if only
one user needs to authenticate.
We use a seperate user to speak to the Directory specified in /etc/ldap.conf. I am not
sure if that would make a difference.
binddn uid=SysAuth,ou=Service Accounts,dc=mycompany
Any thoughts would be appreciated and suggestions for a nice tool to analyze LDAP
conversations would be much appreciated. I am playing with dsniff and netsniff-ng.
Best Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________