[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ppolicy and SSSD configuration question.

To: "Viviano, Brad" <Viviano.Brad@epa.gov>, Michael Ströder <michael@stroeder.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
From: Howard Chu <hyc@symas.com>
Date: Wed, 27 Nov 2013 12:34:28 -0800
In-reply-to: <69dadb36f2e644729388587ad575e2e9@BY2PR09MB046.namprd09.prod.outlook.com>
References: <41790c97c84a4967be486c2b3b1dab1b@BY2PR09MB046.namprd09.prod.outlook.com>, <529391F3.2060001@symas.com> <b15c91651fae43a6a57df9ce8beb8324@BY2PR09MB046.namprd09.prod.outlook.com>, <52939911.4060105@symas.com> <dfb27e079e834c09b918a31ce28dc7d1@BY2PR09MB046.namprd09.prod.outlook.com>, <5296031A.10708@stroeder.com> <a6d2ecb728c74f8ba0ccaead37e833d8@BY2PR09MB046.namprd09.prod.outlook.com>, <52962E8F.6070004@symas.com> <27909ab565294da18996ed6bb5c1a158@BY2PR09MB046.namprd09.prod.outlook.com>, <52964CE3.5040906@symas.com> <69dadb36f2e644729388587ad575e2e9@BY2PR09MB046.namprd09.prod.outlook.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0 SeaMonkey/2.24a1

Viviano, Brad wrote:

Unfortunately for me, I am in a situation where I have to trust PAM and
not  LDAP and don't have the luxury of binding for each user login.

You're still not understanding. The only way *PAM* can get any usefulinformation out of LDAP is by performing a Bind operation of its own. I neversaid anything about changing your user application software to perform a Bind.

I have to

support SSH public keys or software we rely on doesn't work, commercial
software I have no option but to use. So yes, I trust PAM to know how to
search LDAP based on my filters and ensure that I won't have 2 users with the
same UID. It's not perfect but its what I have. So, I need a reliable way to
lock an account that can handle both methods. I am just trying to make the
best of the situation and was looking for some help from the experts on the
best way to handle that.

Again, I don't see the issue as sssd vs. OpenLDAP. If I was using another

package I'd be asking the same questions because my requirements don't change,
I still need to support SSH keys and LDAP Binds. Clearly there is some
animosity between the OpenLDAP group and sssd group, on both sides as my
experience here asking about sssd and on the sssd-devel list asking about
OpenLDAP has shown me the last few days. I don't really care about that. I am
just trying to make my setup work as best I can because its what my boss wants.

This is not sssd vs OpenLDAP. This is sssd vs secure programming practice.sssd is providing a PAM service that uses LDAP for authentication andauthorization information. That's fine, that's the purpose of PAM, but youcannot do any authorization step without first performing authentication, andyou can't do authentication to LDAP without performing a Bind.

Like usual, the end user is caught in the middle of the ongoing Open
Source

war of zealots who view their way as the only way and tend to forget the
actual people who have to use the software they are developing, people who
don't have the luxury of installing every package from tar.gz with their own
custom compile time options in a nice test environment when users are all
pretend and no ones account ever gets hacked.

Nor does this have anything to do with open source programming practice. Thisis about how to design security software.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Howard Chu <hyc@symas.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Howard Chu <hyc@symas.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Michael Ströder <michael@stroeder.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Howard Chu <hyc@symas.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>
- Re: OpenLDAP with ppolicy and SSSD configuration question.
  - From: Howard Chu <hyc@symas.com>
- RE: OpenLDAP with ppolicy and SSSD configuration question.
  - From: "Viviano, Brad" <Viviano.Brad@epa.gov>

Prev by Date: RE: OpenLDAP with ppolicy and SSSD configuration question.
Next by Date: Re: OpenLDAP with ppolicy and SSSD configuration question.
Index(es):
- Chronological
- Thread