Menu
▾
▴
Re: [webmin-devel] LDAP Groups and RFC2307BIS
|
From: Stephen G. P. <sg...@ma...> - 2013-12-22 13:37:39
|
Hi Jamie, Nss_ldap has a configuration option for supporting rfc2307bis and will actually pull members from both the uid based and dn based attributes, even in the same object - see section 5.2 of the draft spec: http://tools.ietf.org/html/draft-howard-rfc2307bis-02. Hence webmin would probably have to have an extra field for the DN based attribute with configuration options to enable / disable each separately. Two further complications: 1) different implementations use different names for the DN based attributes (e.g. the DN based attribute is sometimes 'member' (later RFC versions); other times 'uniqueMember' (early RFC versions), by comparison the uid attribute is almost always 'memberUid' (as per original spec)) - hence the name of the DN attribute will need to be configurable too. The structural classes vary a lot too, thanks to spec variations, but the existing webmin config allows for that - more or less. 2) An empty group appears not to be allowed in many implementations. It doesn't help that the RFC is far from complete - 'draft' is correct because it really is full of holes! Stephen Date: Sat, 21 Dec 2013 14:01:32 -0800 (PST) From: "Jamie Cameron" <jca...@we...> Subject: Re: [webmin-devel] LDAP Groups and RFC2307BIS To: Webmin development list <web...@li...> Message-ID: <138...@we...> On 21/Dec/2013 10:24 Stephen G. Parry <sg...@ma...> wrote .. >> Hi, >> I have recently had to reconfigure my OpenLDAP server to use RFC2307bis >> groups, rather than the more usual RFC2307. A lot of admins are finding >> the need to do this, mainly to get a working memberOf attribute for use >> with many popular applications such as owncloud that are too dim to make >> separate group and user lookups. The main difference between 2307 and >> 2307bis is that the members of a group are store in 'member' or >> 'uniqueMember' attributes, not 'memberUid', and they are DNs not just >> uids . Unfortunately, the webmin LDAP users and groups module does not >> appear to cope with this. I have stuck my nose into the code and indeed, >> the attribute name appears to be hard coded and is uid only. Has anyone >> done any work on this? I could try knocking together a patch, but I am >> not a perl coder, so the learning curve would be steep. >> Thanks in advance >> Stephen Parry > Hi Stephen, > > Does using RFC2307bis mean that the schema for Unix users and groups stored > in LDAP changes? My understanding is that the schema is what defines > the names of fields, and that changing this would also break NSS-LDAP (the Linux > library that allows users and groups to be stored in LDAP). > > - Jamie > > > > ------------------------------ > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > ------------------------------ > > _______________________________________________ > webadmin-devel mailing list > web...@li... > https://lists.sourceforge.net/lists/listinfo/webadmin-devel > > > End of webadmin-devel Digest, Vol 40, Issue 1 > ********************************************* |
