Menu
▾
▴
webadmin-devel
|
From: Stephen G. P. <sg...@ma...> - 2013-12-22 13:37:39
|
Hi Jamie, Nss_ldap has a configuration option for supporting rfc2307bis and will actually pull members from both the uid based and dn based attributes, even in the same object - see section 5.2 of the draft spec: http://tools.ietf.org/html/draft-howard-rfc2307bis-02. Hence webmin would probably have to have an extra field for the DN based attribute with configuration options to enable / disable each separately. Two further complications: 1) different implementations use different names for the DN based attributes (e.g. the DN based attribute is sometimes 'member' (later RFC versions); other times 'uniqueMember' (early RFC versions), by comparison the uid attribute is almost always 'memberUid' (as per original spec)) - hence the name of the DN attribute will need to be configurable too. The structural classes vary a lot too, thanks to spec variations, but the existing webmin config allows for that - more or less. 2) An empty group appears not to be allowed in many implementations. It doesn't help that the RFC is far from complete - 'draft' is correct because it really is full of holes! Stephen Date: Sat, 21 Dec 2013 14:01:32 -0800 (PST) From: "Jamie Cameron" <jca...@we...> Subject: Re: [webmin-devel] LDAP Groups and RFC2307BIS To: Webmin development list <web...@li...> Message-ID: <138...@we...> On 21/Dec/2013 10:24 Stephen G. Parry <sg...@ma...> wrote .. >> Hi, >> I have recently had to reconfigure my OpenLDAP server to use RFC2307bis >> groups, rather than the more usual RFC2307. A lot of admins are finding >> the need to do this, mainly to get a working memberOf attribute for use >> with many popular applications such as owncloud that are too dim to make >> separate group and user lookups. The main difference between 2307 and >> 2307bis is that the members of a group are store in 'member' or >> 'uniqueMember' attributes, not 'memberUid', and they are DNs not just >> uids . Unfortunately, the webmin LDAP users and groups module does not >> appear to cope with this. I have stuck my nose into the code and indeed, >> the attribute name appears to be hard coded and is uid only. Has anyone >> done any work on this? I could try knocking together a patch, but I am >> not a perl coder, so the learning curve would be steep. >> Thanks in advance >> Stephen Parry > Hi Stephen, > > Does using RFC2307bis mean that the schema for Unix users and groups stored > in LDAP changes? My understanding is that the schema is what defines > the names of fields, and that changing this would also break NSS-LDAP (the Linux > library that allows users and groups to be stored in LDAP). > > - Jamie > > > > ------------------------------ > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > ------------------------------ > > _______________________________________________ > webadmin-devel mailing list > web...@li... > https://lists.sourceforge.net/lists/listinfo/webadmin-devel > > > End of webadmin-devel Digest, Vol 40, Issue 1 > ********************************************* |
|
From: Stephen G. P. <sg...@ma...> - 2013-12-23 19:54:57
|
Hi Jamie, The RFC has not changed in four years and I think is unlikely too. Actually, developing this may not be not as bad as it sounds - e.g. the attributes are read from LDAP and written to it regardless of the names I think so backend writing / reading can remain as is. Here is a break down of what we need: In module config: - a checkbox (enable rfc2307bis) - a text field (dn member attribute name). In Edit User, Group Membership: - Secondary Groups - functions just as now, but is relabelled 'Secondary Groups (by UID)' - New panel, shown only if rcf2307bis is set - Secondary Groups (by DN) - pulls list of groups from the dn member attribute dictated by the config. The left hand side can be populated in the same way as the existing panel. The right hand will need a new query of some kind. In Edit Group, Group Details: - Members - functions just as now, but labelled 'Member UIDs' - New panel, shown only if rfc2307bis is set - labelled 'Member DNs'. The left hand side will need a new LDAP query to populate it. Will need a new variable to store list in. In LDAP Groups list: - Concatenate the two attribute lists together before displaying as members column I'll have a look at the code over the holiday and see if I can come up with a provisional patch. regards Stephen |
|
From: Jamie C. <jca...@we...> - 2013-12-24 07:48:17
|
On 23/Dec/2013 11:54 Stephen G. Parry <sg...@ma...> wrote .. > Hi Jamie, > > The RFC has not changed in four years and I think is unlikely too. > Actually, developing this may not be not as bad as it sounds - e.g. the > attributes are read from LDAP and written to it regardless of the names > I think so backend writing / reading can remain as is. > Here is a break down of what we need: > In module config: > - a checkbox (enable rfc2307bis) > - a text field (dn member attribute name). > > In Edit User, Group Membership: > - Secondary Groups - functions just as now, but is relabelled 'Secondary > Groups (by UID)' > - New panel, shown only if rcf2307bis is set - Secondary Groups (by DN) > - pulls list of groups from the dn member attribute dictated by the > config. The left hand side can be populated in the same way as the > existing panel. The right hand will need a new query of some kind. > > In Edit Group, Group Details: > - Members - functions just as now, but labelled 'Member UIDs' > - New panel, shown only if rfc2307bis is set - labelled 'Member DNs'. > The left hand side will need a new LDAP query to populate it. Will need > a new variable to store list in. That would work .. although alternately, perhaps if rfc2307bis mode is enabled the old-style list of member UIDs could be replaced entirely by member DNs? > In LDAP Groups list: > - Concatenate the two attribute lists together before displaying as > members column > > I'll have a look at the code over the holiday and see if I can come up > with a provisional patch. Thanks, a patch would be awesome! - Jamie |
|
From: Jamie C. <jca...@we...> - 2013-12-23 06:32:04
|
Wow, that sounds like it is going to be painful to support in Webmin. I may just hold off until the RFC is finalized, to avoid having to make changes more than once. On 22/Dec/2013 05:37 Stephen G. Parry <sg...@ma...> wrote .. > Hi Jamie, > > Nss_ldap has a configuration option for supporting rfc2307bis and will > actually pull members from both the uid based and dn based attributes, > even in the same object - see section 5.2 of the draft spec: > http://tools.ietf.org/html/draft-howard-rfc2307bis-02. Hence webmin > would probably have to have an extra field for the DN based attribute > with configuration options to enable / disable each separately. Two > further complications: > > 1) different implementations use different names for the DN based > attributes (e.g. the DN based attribute is sometimes 'member' (later RFC > versions); other times 'uniqueMember' (early RFC versions), by > comparison the uid attribute is almost always 'memberUid' (as per > original spec)) - hence the name of the DN attribute will need to be > configurable too. The structural classes vary a lot too, thanks to spec > variations, but the existing webmin config allows for that - more or less. > > 2) An empty group appears not to be allowed in many implementations. > > It doesn't help that the RFC is far from complete - 'draft' is correct > because it really is full of holes! > > Stephen > > Date: Sat, 21 Dec 2013 14:01:32 -0800 (PST) From: "Jamie Cameron" > <jca...@we...> Subject: Re: [webmin-devel] LDAP Groups and > RFC2307BIS To: Webmin development list > <web...@li...> Message-ID: > <138...@we...> On 21/Dec/2013 10:24 Stephen G. Parry > <sg...@ma...> wrote .. > >> Hi, > >> I have recently had to reconfigure my OpenLDAP server to use RFC2307bis > >> groups, rather than the more usual RFC2307. A lot of admins are finding > >> the need to do this, mainly to get a working memberOf attribute for use > >> with many popular applications such as owncloud that are too dim to make > >> separate group and user lookups. The main difference between 2307 and > >> 2307bis is that the members of a group are store in 'member' or > >> 'uniqueMember' attributes, not 'memberUid', and they are DNs not just > >> uids . Unfortunately, the webmin LDAP users and groups module does not > >> appear to cope with this. I have stuck my nose into the code and indeed, > >> the attribute name appears to be hard coded and is uid only. Has anyone > >> done any work on this? I could try knocking together a patch, but I am > >> not a perl coder, so the learning curve would be steep. > >> Thanks in advance > >> Stephen Parry > > Hi Stephen, > > > > Does using RFC2307bis mean that the schema for Unix users and groups stored > > in LDAP changes? My understanding is that the schema is what defines > > the names of fields, and that changing this would also break NSS-LDAP (the Linux > > library that allows users and groups to be stored in LDAP). > > > > - Jamie > > > > > > > > ------------------------------ > > > > ------------------------------------------------------------------------------ > > Rapidly troubleshoot problems before they affect your business. Most IT > > organizations don't have a clear picture of how application performance > > affects their revenue. With AppDynamics, you get 100% visibility into your > > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > > > ------------------------------ > > > > _______________________________________________ > > webadmin-devel mailing list > > web...@li... > > https://lists.sourceforge.net/lists/listinfo/webadmin-devel > > > > > > End of webadmin-devel Digest, Vol 40, Issue 1 > > ********************************************* > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > - > Forwarded by the Webmin development list at web...@we... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-devel |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X