[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Sun ILOM LDAP support (was: Compare-Request on hashed userPassword)

On Thu, 29 Sep 2011, Dan White wrote:

On 29/09/11 17:51 +0200, Buchan Milne wrote:
On Wednesday, 28 September 2011 16:24:35 Dan White wrote:
We had a similar problem where Sun ILOM requires userPassword to be in a
Solaris compatible crypt format. We created a custom attribute, called
I don't have a business relationship with Oracle to open a ticket. Does
anyone have a point of contact at Oracle to submit feature requests to?

The manual clearly states that passwords must be crypted (MD5 IIRC; I'm not going to open the PDF now to check). However, our experience (ILOM v3) is that an LDAP Simple Bind with SSL works, for loose values of "works." Yes, this directly contradicts the documentation. I didn't bother filing a support request. (They might break it as not matching specs!)

I forget whether there was some sort of configurable filter on the ILOM. My hazy recollection was that it performed a search, ignored the results entirely, and then blindly binded as "$ATTR=$INPUT,$SUFFIX" where $ATTR and $SUFFIX were configurable and $INPUT must be known, out-of-band and precisely, by the end user (as the search results were ignored).

This presented us with nervous laughter and an issue; we (essentially) wanted only users with primary gid wheel to get in to the ILOMs. In less time than it would have taken me to submit a change request I wrote up:

database                relay
suffix                  "o=rightPrimaryGid"
overlay                 rwm

rwm-rewriteEngine on
# all dataflow from client to server referring to DNs
rwm-rewriteContext default
rwm-rewriteRule "(.+,)?o=rightPrimaryGid$" "$1o=posixAccounts" ":"
# add a gidNumber=12345 filter to anybody here -- of course the ILOMs ignore searches, how lame
rwm-rewriteContext searchFilter
rwm-rewriteRule "(.+)" "(&$1(gidNumber=12345))" ":"
# all dataflow from server to client
rwm-rewriteContext searchEntryDN
rwm-rewriteRule "(.+,)?o=posixAccounts$" "$1o=rightPrimaryGid" ":"
rwm-rewriteContext searchAttrDN alias searchEntryDN
rwm-rewriteContext matchedDN alias searchEntryDN
# misc empty rules
rwm-rewriteContext referralAttrDN
rwm-rewriteContext referralDN
# only allow binds to gidNumber=12345 uid=.* dns ... this could possibly be optimized?
rwm-rewriteMap slapd oneGid "ldap:///o=posixAccounts?dn?sub?(&(gidNumber=12345)"
rwm-rewriteContext bindDN
rwm-rewriteRule "^(uid=[^,]+),.*" "${oneGid(($1)))}" ":@I"

and now the ILOMs and I have an uneasy truce.