[imp] bind several branches in the LDAP tree for authentication

Edward Wildgoose Edward.Wildgoose@FRMHedge.com
Wed, 3 Apr 2002 10:32:10 +0100


Hi Atif, once again you demonstrate your excellent LDAP understanding!

Slightly OT, but I have a few questions on LDAP, and I suspect those on the list may be interested (I have read all the docs on your website).

Scenario: I have two (or more domains), say, one called free-email.com and the other called paid-email.com.  Each has a website hosted by Postnuke and I want to use postnuke authentication (which can bind via LDAP) so that each user also gets to log-in to the postnuke site.  Postfix, Courier, etc on the backend

Now, I guess the LDAP design would be a made up root name, eg o=EdWildgoosesDomains, with two sub roots for each domain?  Is there any reason why the root node needs to have a resolvable name via DNS?

Now I want users to be able to log-in with short user names, eg fred, not fred-free-email, so I guess that I am going to have to write my own code to ensure that users are unique across the two domains?  Is there anything built into LDAP to help with this?  

I also need to use SSH for an application that users can have access to.  Anyone know if OpenSSH can be made to work with LDAP?  I notice that there is a PAM auth option and PAM can presumably be made to work with LDAP?  Anyone know how easy it is to migrate to LDAP auth if you already have some local accounts...  Can you have a mixed environment?  (Yet another reason to ensure that the LDAP users are unique)

I guess in the situation below what is wanted is for IMP to understand "virtual hosts", ie if the user connects using one www address, then modify the LDAP query in some way, perhaps filter on another LDAP attribute?

Thanks,

Ed W


HAHN Nicolas wrote:
> > Hi everybody :-)
> > 
> You mean bind to one of the several branches of the LDAP server.

> How are your branches separated?

> Are you using multiple branches for domains to avoid unique name =
clashes?
> If yes, then you are not doing the right thing. You should have =
atleast 
> one _unique_ attribute in the record to identify that record.
> If thats not the case, you dont have to bind to a different branch =
anyway.

> Example:
> If you have
> dn: uid=aghaffar, domain=developer.ch, o=something
> and
> dn: uid=aghaffar, domain=horde.org, o=something

> then its a poor directory design

> If on the other hand you have only _one_ record per uid.

> dn: uid=aghaffar, domain=developer.ch, o=something
> dn: uid=chuck, domain=horde.org, o=something

> the you just can use o=something as your base branch to search for 
> binding users.

> ldapsearch -b "o=something" uid=chuck
> ldapsearch -b "o=something" uid=aghaffar
> should both give you a result.

-- 
Atif Ghaffar
---------------------------.
           +41 78 845 31 64 ¦ tel
     aghaffar@developer.ch  ¦ email
     http://atifghaffar.com ¦ www
                    8206786 ¦ icq




>From andreas@dahlen.ws Date: Wed,  3 Apr 2002 12:11:31 +0200
Return-Path: <andreas@dahlen.ws>
Mailing-List: contact imp-help@lists.horde.org; run by ezmlm
Delivered-To: mailing list imp@lists.horde.org
Received: (qmail 76510 invoked from network); 3 Apr 2002 10:11:35 -0000
Received: from as1-5-2.b.bonet.se (HELO tena.dahlen.ws) (194.236.143.39)
  by clark.horde.org with SMTP; 3 Apr 2002 10:11:35 -0000
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by tena.dahlen.ws (8.12.1/8.12.1) with ESMTP id g33ABo6F025616
	for <imp@lists.horde.org>; Wed, 3 Apr 2002 12:11:50 +0200
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=ISO-8859-1
Date: Wed,  3 Apr 2002 12:11:31 +0200
From: =?ISO-8859-1?B?QW5kcmVhcyBEYWhs6W4=?= <andreas@dahlen.ws>
In-Reply-To: <BD3E77556CCABA4F8BDF174801D41E881A1EC6@exchserver.FRiskMan.com>
Message-ID: <1017828691.3caad5537ef50@www.dahlen.ws>
MIME-Version: 1.0
Received: from tena.dahlen.ws (localhost.localdomain [127.0.0.1])
	by localhost.localdomain (AvMailGate-6.13.0.1) id 25501-1F58CBFF;
	Wed, 03 Apr 2002 12:11:31 +0200
Received: (from apache@localhost)
	by tena.dahlen.ws (8.12.1/8.12.1/Submit) id g33ABVDh025500
	for imp@lists.horde.org; Wed, 3 Apr 2002 12:11:31 +0200
Received: from 193.235.198.1 ( [193.235.198.1])
	as user anj@localhost by www.dahlen.ws with HTTP;
	Wed,  3 Apr 2002 12:11:31 +0200
References: <BD3E77556CCABA4F8BDF174801D41E881A1EC6@exchserver.FRiskMan.com>
To: imp@lists.horde.org
User-Agent: Internet Messaging Program (IMP) 3.1-cvs
X-AntiVirus: OK! AvMailGate Version 6.13.0.5
	 at tena.dahlen.ws has not found any known virus in this email.
X-Authentication-Warning: tena.dahlen.ws: apache set sender to andreas@dahlen.ws using -f
Subject: RE: [imp] bind several branches in the LDAP tree for authentication

Hi!

To have OpenSSH to authenticate via LDAP wou could look at pam_ldap 
at http://www.padl.com/Contents/OpenSourceSoftware.html. I've used 
it for a while and it works fine. If you have local accounts you 
can migrate to LDAP or keep them as they are.

/Andreas


Citerar Edward Wildgoose <Edward.Wildgoose@FRMHedge.com>:

> Hi Atif, once again you demonstrate your excellent LDAP
> understanding!
> 
> Slightly OT, but I have a few questions on LDAP, and I suspect
> those on the list may be interested (I have read all the docs on
> your website).
> 
> Scenario: I have two (or more domains), say, one called
> free-email.com and the other called paid-email.com.  Each has a
> website hosted by Postnuke and I want to use postnuke
> authentication (which can bind via LDAP) so that each user also
> gets to log-in to the postnuke site.  Postfix, Courier, etc on
> the backend
> 
> Now, I guess the LDAP design would be a made up root name, eg
> o=EdWildgoosesDomains, with two sub roots for each domain?  Is
> there any reason why the root node needs to have a resolvable
> name via DNS?
> 
> Now I want users to be able to log-in with short user names, eg
> fred, not fred-free-email, so I guess that I am going to have to
> write my own code to ensure that users are unique across the two
> domains?  Is there anything built into LDAP to help with this?  
> 
> I also need to use SSH for an application that users can have
> access to.  Anyone know if OpenSSH can be made to work with LDAP?
>  I notice that there is a PAM auth option and PAM can presumably
> be made to work with LDAP?  Anyone know how easy it is to migrate
> to LDAP auth if you already have some local accounts...  Can you
> have a mixed environment?  (Yet another reason to ensure that the
> LDAP users are unique)
> 
> I guess in the situation below what is wanted is for IMP to
> understand "virtual hosts", ie if the user connects using one www
> address, then modify the LDAP query in some way, perhaps filter
> on another LDAP attribute?
> 
> Thanks,
> 
> Ed W
> 
> 
> HAHN Nicolas wrote:
> > > Hi everybody :-)
> > > 
> > You mean bind to one of the several branches of the LDAP
> server.
> 
> > How are your branches separated?
> 
> > Are you using multiple branches for domains to avoid unique
> name clashes?
> > If yes, then you are not doing the right thing. You should have
> atleast 
> > one _unique_ attribute in the record to identify that record.
> > If thats not the case, you dont have to bind to a different
> branch anyway.
> 
> > Example:
> > If you have
> > dn: uid=aghaffar, domain=developer.ch, o=something
> > and
> > dn: uid=aghaffar, domain=horde.org, o=something
> 
> > then its a poor directory design
> 
> > If on the other hand you have only _one_ record per uid.
> 
> > dn: uid=aghaffar, domain=developer.ch, o=something
> > dn: uid=chuck, domain=horde.org, o=something
> 
> > the you just can use o=something as your base branch to search
> for 
> > binding users.
> 
> > ldapsearch -b "o=something" uid=chuck
> > ldapsearch -b "o=something" uid=aghaffar
> > should both give you a result.
> 
> -- 
> Atif Ghaffar
> ---------------------------.
>            +41 78 845 31 64 ¦ tel
>      aghaffar@developer.ch  ¦ email
>      http://atifghaffar.com ¦ www
>                     8206786 ¦ icq
> 
> 
> 
> -- 
> IMP mailing list: http://horde.org/imp/
> Archive: http://marc.theaimsgroup.com/?l=imp&r=1&w=2
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe@lists.horde.org
>