[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ppolicy and SSSD configuration question.

Viviano, Brad wrote:
Unfortunately for me, I am in a situation where I have to trust PAM and
not  LDAP and don't have the luxury of binding for each user login.

You're still not understanding. The only way *PAM* can get any useful information out of LDAP is by performing a Bind operation of its own. I never said anything about changing your user application software to perform a Bind.

I have to
support SSH public keys or software we rely on doesn't work, commercial
software I have no option but to use. So yes, I trust PAM to know how to
search LDAP based on my filters and ensure that I won't have 2 users with the
same UID. It's not perfect but its what I have. So, I need a reliable way to
lock an account that can handle both methods. I am just trying to make the
best of the situation and was looking for some help from the experts on the
best way to handle that.

Again, I don't see the issue as sssd vs. OpenLDAP. If I was using another
package I'd be asking the same questions because my requirements don't change,
I still need to support SSH keys and LDAP Binds. Clearly there is some
animosity between the OpenLDAP group and sssd group, on both sides as my
experience here asking about sssd and on the sssd-devel list asking about
OpenLDAP has shown me the last few days. I don't really care about that. I am
just trying to make my setup work as best I can because its what my boss wants.

This is not sssd vs OpenLDAP. This is sssd vs secure programming practice. sssd is providing a PAM service that uses LDAP for authentication and authorization information. That's fine, that's the purpose of PAM, but you cannot do any authorization step without first performing authentication, and you can't do authentication to LDAP without performing a Bind.

Like usual, the end user is caught in the middle of the ongoing Open
war of zealots who view their way as the only way and tend to forget the
actual people who have to use the software they are developing, people who
don't have the luxury of installing every package from tar.gz with their own
custom compile time options in a nice test environment when users are all
pretend and no ones account ever gets hacked.

Nor does this have anything to do with open source programming practice. This is about how to design security software.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/