Menu
▾
▴
Re: [webmin-devel] LDAP Groups and RFC2307BIS
|
From: Jamie C. <jca...@we...> - 2013-12-23 06:32:04
|
Wow, that sounds like it is going to be painful to support in Webmin. I may just hold off until the RFC is finalized, to avoid having to make changes more than once. On 22/Dec/2013 05:37 Stephen G. Parry <sg...@ma...> wrote .. > Hi Jamie, > > Nss_ldap has a configuration option for supporting rfc2307bis and will > actually pull members from both the uid based and dn based attributes, > even in the same object - see section 5.2 of the draft spec: > http://tools.ietf.org/html/draft-howard-rfc2307bis-02. Hence webmin > would probably have to have an extra field for the DN based attribute > with configuration options to enable / disable each separately. Two > further complications: > > 1) different implementations use different names for the DN based > attributes (e.g. the DN based attribute is sometimes 'member' (later RFC > versions); other times 'uniqueMember' (early RFC versions), by > comparison the uid attribute is almost always 'memberUid' (as per > original spec)) - hence the name of the DN attribute will need to be > configurable too. The structural classes vary a lot too, thanks to spec > variations, but the existing webmin config allows for that - more or less. > > 2) An empty group appears not to be allowed in many implementations. > > It doesn't help that the RFC is far from complete - 'draft' is correct > because it really is full of holes! > > Stephen > > Date: Sat, 21 Dec 2013 14:01:32 -0800 (PST) From: "Jamie Cameron" > <jca...@we...> Subject: Re: [webmin-devel] LDAP Groups and > RFC2307BIS To: Webmin development list > <web...@li...> Message-ID: > <138...@we...> On 21/Dec/2013 10:24 Stephen G. Parry > <sg...@ma...> wrote .. > >> Hi, > >> I have recently had to reconfigure my OpenLDAP server to use RFC2307bis > >> groups, rather than the more usual RFC2307. A lot of admins are finding > >> the need to do this, mainly to get a working memberOf attribute for use > >> with many popular applications such as owncloud that are too dim to make > >> separate group and user lookups. The main difference between 2307 and > >> 2307bis is that the members of a group are store in 'member' or > >> 'uniqueMember' attributes, not 'memberUid', and they are DNs not just > >> uids . Unfortunately, the webmin LDAP users and groups module does not > >> appear to cope with this. I have stuck my nose into the code and indeed, > >> the attribute name appears to be hard coded and is uid only. Has anyone > >> done any work on this? I could try knocking together a patch, but I am > >> not a perl coder, so the learning curve would be steep. > >> Thanks in advance > >> Stephen Parry > > Hi Stephen, > > > > Does using RFC2307bis mean that the schema for Unix users and groups stored > > in LDAP changes? My understanding is that the schema is what defines > > the names of fields, and that changing this would also break NSS-LDAP (the Linux > > library that allows users and groups to be stored in LDAP). > > > > - Jamie > > > > > > > > ------------------------------ > > > > ------------------------------------------------------------------------------ > > Rapidly troubleshoot problems before they affect your business. Most IT > > organizations don't have a clear picture of how application performance > > affects their revenue. With AppDynamics, you get 100% visibility into your > > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > > > ------------------------------ > > > > _______________________________________________ > > webadmin-devel mailing list > > web...@li... > > https://lists.sourceforge.net/lists/listinfo/webadmin-devel > > > > > > End of webadmin-devel Digest, Vol 40, Issue 1 > > ********************************************* > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > - > Forwarded by the Webmin development list at web...@we... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-devel |
