Yubico Forum

Re: pam_yubico_ldap

2009-08-11T10:47:38+01:00

Was very busy.

I just commited r186 in the yubico-pam SVN with some of the code of tpohl plus some other corrections.
Now you have to enter a ldap_uri parameter like ldap://localhost instead of a hostname in ldapserver parameter.
ldapserver is not used any more.

Can someone test it on other systems? I only have 32bit Debian servers available.

regards

Zubrick

Statistics: Posted by zubrick — Tue Aug 11, 2009 10:47 am

Re: pam_yubico_ldap

2009-03-22T15:06:37+01:00

tpohl,

I have been working on a new yubico-pam patch and would like some help testing with an LDAP setup. I just incorporated your changes, can you please test it out and let me know if it works for you? The configuration has changed a bit, you can read more in this thread, http://forum.yubico.com/viewtopic.php?f=3&t=295.

I am also thinking we should change the setting from ldap_server to ldap_url, thoughts?

Patch is here
http://yubico-squirrelmail-plugin.googlecode.com/files/yubico-pam-1.11-updates5.patch

Statistics: Posted by fergus — Sun Mar 22, 2009 3:06 pm

Re: pam_yubico_ldap

2009-03-20T19:56:30+01:00

I just got the pam_yubico module to work with LDAP under 64bit CentOS. I had to make some coding changes (against the 1.11 module) to use the non-deprecated ldap methods. Also, the value of the ldapserver needs to be an LDAP uri (e.g. ldap://localhost/) instead of a hostname. Below is my version of the validate_user_token_ldap method:

Code:

static int
validate_user_token_ldap (const char *ldapserver,
                          const char *ldapdn, const char *user_attr,
                          const char *yubi_attr, const char *user,
                          const char *token_id)
{

  int retval = 0;
#ifdef HAVE_LIBLDAP
  LDAP *ld;
  LDAPMessage *result, *e;
  BerElement *ber;
  char *a;
  struct berval **vals;
  int i, rc;
  /* FIXME: dont' use hard coded buffers here. */
  char find[256] = "";
  char sr[128] = "(";
  char sep[2] = ",";
  char eq[2] = "=";
  char sren[4] = "=*)";



  strcat (find, user_attr);
  strcat (find, eq);
  strcat (find, user);
  strcat (find, sep);
  strcat (find, ldapdn);

  strcat (sr, yubi_attr);
  strcat (sr, sren);

  
  /* Get a handle to an LDAP connection. */
  if (ldap_initialize(&ld,ldapserver) != NULL)
    {
      D (("ldap_init"));
      return (0);
    }

  /* Bind anonymously to the LDAP server. */
  rc = ldap_simple_bind_s (ld, NULL, NULL);

  if (rc != LDAP_SUCCESS)
    {
      D (("ldap_simple_bind_s: %s", ldap_err2string (rc)));
      return (0);
    }
  
  /* Search for the entry. */
  D (("ldap-dn: %s", find));
  D (("ldap-filter: %s", sr));

  if ((rc = ldap_search_ext_s (ld, find, LDAP_SCOPE_BASE,
                               sr, NULL, 0, NULL, NULL, LDAP_NO_LIMIT,
                               LDAP_NO_LIMIT, &result)) != LDAP_SUCCESS)
    {
      D (("ldap_search_ext_s: %s", ldap_err2string (rc)));

      return (0);
    }
  e = ldap_first_entry (ld, result);
  if (e != NULL)
    {

      /* Iterate through each attribute in the entry. */
      for (a = ldap_first_attribute (ld, e, &ber);
           a != NULL; a = ldap_next_attribute (ld, e, ber))
        {
          if ((vals = ldap_get_values_len (ld, e, a)) != NULL)
            {
              for (i = 0; vals[i] != NULL; i++)
                {
                  if (!strncmp (token_id, vals[i]->bv_val, strlen (token_id)))
                    {
                      D (("Token Found :: %s", vals[i]->bv_val));
                      retval = 1;
                    }
                }
              ldap_value_free (vals);
            }
          ldap_memfree (a);
        }
      if (ber != NULL)
        {
          ber_free (ber, 0);
        }

    }

  ldap_msgfree (result);
  ldap_unbind (ld);
#else
  D (("Trying to use LDAP, but this function is not compiled in pam_yubico!!"));
  D (("Install libldap-dev and then recompile pam_yubico."));
#endif
  return retval;
}

Statistics: Posted by tpohl — Fri Mar 20, 2009 7:56 pm

Re: pam_yubico_ldap

2009-02-11T20:47:18+01:00

This is great news! I'll be testing this week and posting any problems I find.

Statistics: Posted by cmoates — Wed Feb 11, 2009 8:47 pm

Re: pam_yubico_ldap

2009-02-11T18:46:53+01:00

The ldap part as been merged back in pam_yubico.

You can download the 1.11 release on the google code page or update through the google code svn.
Trac project for pam_yubico_ldap will be closed soon. The development of the ldap part will continue directly in the pam_yubico project.

Tell me if you have any problem with the ldap part.

Statistics: Posted by zubrick — Wed Feb 11, 2009 6:46 pm

Re: pam_yubico_ldap

2009-02-10T15:34:49+01:00

Thanks for this. I really hope that we see it merge with the main pam module. I'll try to get some time this week to test against my 64 bit problems (and patches, if necessary) with the original pam code.

Statistics: Posted by cmoates — Tue Feb 10, 2009 3:34 pm

Re: pam_yubico_ldap

2009-02-09T12:51:26+01:00

Hi Lucien,

I released a version 1.1 with a correction in the ldap search (in fact, I posted the wrong tar.gz on the trac project last time). This version can only do ldap search.

I'm working with simon on the merging of the two projects, so you can also test de pam_yubico-dev.tar.gz available in the downloads page of my trac project. This version has both ldap and file capabilities.

Regards

Zubrick

Statistics: Posted by zubrick — Mon Feb 09, 2009 12:51 pm

Re: pam_yubico_ldap

2009-02-08T14:38:12+01:00

Hi Zubrick,

I am a big fan of this LDAP approach for user-key management and will be testing your pam_yubico module variation in the near future.

More comments after I try it out and I will be happy to see it merged into the original pam module code.

Cheers
Lucien

Statistics: Posted by lucienboland — Sun Feb 08, 2009 2:38 pm

pam_yubico_ldap

2009-02-11T18:51:59+01:00

Please use pam_yubico to have ldap support (v1.11 or later). pam_yubico_ldap is discontinued.
-----
Hello,

For those of you who do not have the patience to manage the yubikeys user list on all their host, an ldap version of pam_yubico is now available on https://trac.number6.ch/pam_yubico_ldap.

It works exactly as pam_yubico, but checks the user-key relation on the ldap server instead of the text file.

Feel free to post tickets or replay to this post if you have any comment or have feature requests regarding ldap stuff in the pam module.

The ldap code will probably be merged in the original pam_yubico project in a near future.

Zubrick

Statistics: Posted by zubrick — Fri Jan 23, 2009 5:37 pm