[imp] (WARNING: LONG) bind several branches in the LDAP tree for authentication

Atif Ghaffar aghaffar@developer.ch
Wed, 3 Apr 2002 13:00:23 +0200

Previous message: [imp] bind several branches in the LDAP tree for authentication
Next message: [imp] (WARNING: LONG) bind several branches in the LDAP tree for authentication
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Edward.

On Wednesday 03 April 2002 11:32, Edward Wildgoose wrote:
> Now, I guess the LDAP design would be a made up root name, eg
> o=EdWildgoosesDomains, with two sub roots for each domain?  Is there =
any
> reason why the root node needs to have a resolvable name via DNS?
No, they dont have to be resolvable via DNS.

> Now I want users to be able to log-in with short user names, eg fred, n=
ot
> fred-free-email, so I guess that I am going to have to write my own cod=
e to
> ensure that users are unique across the two domains?  Is there anything
> built into LDAP to help with this?

If you are writting custom apps, or using other webapps, you have the 
flexibility to bind where-ever you want. The problem comes when you want to 
use pam_ldap and backend apps such as courier, cyrus etc.

example: 
* two branches
o=My Organisation
  domain=freenuke.com, o=My Organisation
  domain=paidnuke.com, o=My Organisation

* two websites
  postnuke.freenuke.com
  postnuke.paidnuke.com

* two users with identical usernames
  uid=aghaffar, domain=freenuke.com, o=My Organisation
  uid=aghaffar, domain=paidnuke.com, o=My Organisation

Now with your webapp, you can change the base DN according to the 
HTTP_SERVER_NAME
if (HTTP_SERVER_NAME == "freenuke.com") { baseDN="domain=freenuke.com, o=My 
Organisation";}

or with regexs, etc.
Then you catch the username, that the user is providing, 
1. query for the password for that record, crypt and compare
or 
2. query for the user, get the DN and bind to the LDAP server.

now imagine the same scenario with a mail backend using pam_ldap

pam_ldap is (for example) configured to use uid as the uid attribute.

You pass, the mail server, username and password. 
The mail server passes that info to the pam_ldap module
pam_ldap queries the LDAP server for uid=aghaffar and fails cause it gets 2 
records. It doesnt know which one to bind to..

There are a few hacks to get around this problem.
Example, you may have another unique attribute which you can use to bind.
uid=aghaffar, domain=developer.ch, o=ispman
uidNumber: 1001

uid=aghaffar, domain=imp.org, o=ispman
uidNumber: 1002

You have to then code your frontend application to get the username, set the 
LDAP baseDN, query for the uidNumber and send the uidNumber/userPassword to 
the mailserver or backend server.

The same will apply to the FTP server, POP3/IMAP proxy that you will put in 
front for the users to connect to.  both of which will fail since they dont 
have the info about the SERVER_NAME attribute.

In one of my apps, I use 
username_domain_tld as the default username. This ensures that the username is 
unique across all domains. 
It could be a hinderance for your users to have such a long username, but the 
other possibility is to make sure that there are no two same users across the 
LDAP directory. (Same like as on one system)

Another possiblity is to give them numeric uid. similar to the example above

uid=1034, domain=somedomain, o=something
uid=1098, domain=somedom,o=something

which will let the user access, POP/IMAP/FTP/shell etc using the username: 
1034, 1098 etc, but I think it is more confusing that aghaffar_developer_ch

As for HORDE/IMP
IMP has a hook called
$conf['hooks']['vinfo']
see imp/conf.php

this let ur users login with a short username.
Example: the username can be aghaffar_developer_ch
but I can login to 
mail.developer.ch using just "aghaffar"

Hope that helps.

best regards

>
> Thanks,
>
> Ed W
>
> HAHN Nicolas wrote:
> > > Hi everybody :-)
> >
> > You mean bind to one of the several branches of the LDAP server.
> >
> > How are your branches separated?
> >
> > Are you using multiple branches for domains to avoid unique name clas=
hes?
> > If yes, then you are not doing the right thing. You should have atlea=
st
> > one _unique_ attribute in the record to identify that record.
> > If thats not the case, you dont have to bind to a different branch
> > anyway.
> >
> > Example:
> > If you have
> > dn: uid=aghaffar, domain=developer.ch, o=something
> > and
> > dn: uid=aghaffar, domain=horde.org, o=something
> >
> > then its a poor directory design
> >
> > If on the other hand you have only _one_ record per uid.
> >
> > dn: uid=aghaffar, domain=developer.ch, o=something
> > dn: uid=chuck, domain=horde.org, o=something
> >
> > the you just can use o=something as your base branch to search for
> > binding users.
> >
> > ldapsearch -b "o=something" uid=chuck
> > ldapsearch -b "o=something" uid=aghaffar
> > should both give you a result.

- -- 
Atif Ghaffar
- ---------------------------.
          +41 78 845 31 64 ¦ tel
    aghaffar@developer.ch  ¦ email
    http://atifghaffar.com ¦ www
                   8206786 ¦ icq

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8quDHFaL4Hlru+IMRAoLXAJ9FB0VjD/WldkpED8uh46iyXuKurACeMqya
CorZmSv/Pg53xdORVOOybWw=
=ulDe
-----END PGP SIGNATURE-----

Previous message: [imp] bind several branches in the LDAP tree for authentication
Next message: [imp] (WARNING: LONG) bind several branches in the LDAP tree for authentication
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]