From owner-freebsd-questions@freebsd.org Tue Mar 27 11:31:45 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A45EF70A04 for ; Tue, 27 Mar 2018 11:31:45 +0000 (UTC) (envelope-from norman@astro.gla.ac.uk) Received: from smtp68.ord1c.emailsrvr.com (smtp68.ord1c.emailsrvr.com [108.166.43.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 937CD7F027 for ; Tue, 27 Mar 2018 11:31:44 +0000 (UTC) (envelope-from norman@astro.gla.ac.uk) Received: from smtp1.relay.ord1c.emailsrvr.com (localhost [127.0.0.1]) by smtp1.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 84AED201EF for ; Tue, 27 Mar 2018 07:21:45 -0400 (EDT) Received: from smtp68.ord1d.emailsrvr.com (relay.ord1c.rsapps.net [172.28.255.120]) by smtp1.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTPS id 7C542201E4 for ; Tue, 27 Mar 2018 07:21:45 -0400 (EDT) Received: from smtp9.relay.ord1d.emailsrvr.com (localhost [127.0.0.1]) by smtp9.relay.ord1d.emailsrvr.com (SMTP Server) with ESMTP id 453BCC0083; Tue, 27 Mar 2018 07:21:39 -0400 (EDT) X-Auth-ID: astro@nxg.name Received: by smtp9.relay.ord1d.emailsrvr.com (Authenticated sender: astro-AT-nxg.name) with ESMTPSA id C0464C0081; Tue, 27 Mar 2018 07:21:38 -0400 (EDT) X-Sender-Id: astro@nxg.name Received: from [130.209.45.140] (ptolemy.astro.gla.ac.uk [130.209.45.140]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256) by 0.0.0.0:25 (trex/5.7.12); Tue, 27 Mar 2018 07:21:39 -0400 From: "Norman Gray" To: freebsd-questions@freebsd.org Subject: pam_ldap: documentation problems Date: Tue, 27 Mar 2018 12:21:36 +0100 X-Mailer: MailMate (1.11r5462) Message-ID: <91400FA4-B69E-4272-9F89-88626AE55136@astro.gla.ac.uk> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Mar 2018 11:31:45 -0000 Greetings. I'm trying to set up PAM/LDAP authentication. I think the following may represent documentation bugs (or at least omissions), but I'm insufficiently confident about the technology to raise them as such without some discussion here first. Do let me know if there's a better list for this to go to. 1. The pam_ldap(5) manpage (installed as part of the pam_ldap pkg/port) says pam_groupdn Specifies the distinguished name of a group to which a user must belong for logon authorization to succeed. pam_member_attribute Specifies the attribute to use when testing a user's membership of a group specified in the pam_groupdn option. This description doesn't, however, make clear whether pam_member_attribute is an attribute on the user's entry, naming the group they belong to (eg memberOf), or an attribute on the group's entry, naming the users who are members (eg member or memberUid). Other resources suggest [5] it's the latter, but it would be useful to have this clarified in the FreeBSD manpage. 2. The article at [1] discusses PAM configuration and mentions pam_groupdn, but _doesn't_ illustrate pam_member_attribute, so doesn't resolve the ambiguity in pam_ldap(5). Further, this article says: > Members of this group are specified in one or more memberUid > attributes, and each attribute must have the full distinguished name > of the member. So memberUid: someuser will not work; it must be: > > memberUid: uid=someuser,ou=people,dc=example,dc=org I think this may actually not conform with how memberUid is intended to be used. Specifically, I think that memberUid should indeed be simply `someuser`. That is, I suspect this article is wrong, or at least unconventional, in this demand. If we look at `/usr/local/etc/openldap/schema/nis.schema`, we see that memberUid has syntax 1.3.6.1.4.1.1466.115.121.1.26 which (as you will of course instantly recognise) is IA5String (ie, ASCII) (some other nis.schema files, eg on macOS, give this as 'directory string', meaning a UTF-8 encoded ISO10646/Unicode string). RFC 2307 [3] also says that memberUid is an IA5String. The DN quoted above doesn't violate this as a matter of syntax, but note that the attribute is _not_ given syntax ...121.1.12, or DN. In contrast. the `member` attribute (RFC 2256, [4]) _is_ given syntax distinguishedName. Thus the implication does seem to be that, pace the article at [1], memberUid is intended _not_ to be a DN. Also, RFC 2307bis ([6], draft, but widely implemented) explicitly says: It is suggested that uid and cn are used as the naming attribute for posixAccount and posixGroup entries, respectively. Group members may either be login names (values of memberUid) or distinguished names (values of member). which seems to rule out DN-valued memberUid. The howto at [5] also illustrates memberUid as a simple uid, not a DN. I haven't yet experimented with this in practice -- I'm still trying to read around this -- so it's possible that memberuid:someuser does in fact work in practice, and the article is simply out of date. Can anyone comment? Or point to alternative instructions for setting up FreeBSD client PAM/LDAP (in the current context, I'm configuring the server-side as well, but that has to be compatible with Linux clients, too)? Best wishes, Norman [1] https://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/client.html [2] http://www.ietf.org/rfc/rfc2252.txt [3] http://www.ietf.org/rfc/rfc2307.txt [4] http://www.ietf.org/rfc/rfc2256.txt [5] http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/pamnss.html [6] https://tools.ietf.org/html/draft-howard-rfc2307bis-02 -- Norman Gray : https://nxg.me.uk SUPA School of Physics and Astronomy, University of Glasgow, UK