Yubico Forum

View unanswered posts | View active topics

Board index » Yubico » Community Projects

All times are UTC + 1 hour

pam_yubico_ldap

Page 1 of 1

[ 9 posts ]

Print view

Previous topic | Next topic

Author

Message

zubrick

Post subject: pam_yubico_ldap

Posted: Fri Jan 23, 2009 5:37 pm

Joined: Mon Dec 15, 2008 6:15 pm
Posts: 4

Please use pam_yubico to have ldap support (v1.11 or later). pam_yubico_ldap is discontinued.
-----
Hello,

For those of you who do not have the patience to manage the yubikeys user list on all their host, an ldap version of pam_yubico is now available on https://trac.number6.ch/pam_yubico_ldap.

It works exactly as pam_yubico, but checks the user-key relation on the ldap server instead of the text file.

Feel free to post tickets or replay to this post if you have any comment or have feature requests regarding ldap stuff in the pam module.

The ldap code will probably be merged in the original pam_yubico project in a near future.

Zubrick

Last edited by zubrick on Wed Feb 11, 2009 6:51 pm, edited 2 times in total.

Top

Share On:
	Facebook		Twitter		Tumblr		Google+

lucienboland

Post subject: Re: pam_yubico_ldap

Posted: Sun Feb 08, 2009 2:38 pm

Joined: Thu Feb 05, 2009 2:34 am
Posts: 4

Hi Zubrick,

I am a big fan of this LDAP approach for user-key management and will be testing your pam_yubico module variation in the near future.

More comments after I try it out and I will be happy to see it merged into the original pam module code.

Cheers
Lucien

Top

zubrick

Post subject: Re: pam_yubico_ldap

Posted: Mon Feb 09, 2009 12:51 pm

Joined: Mon Dec 15, 2008 6:15 pm
Posts: 4

Hi Lucien,

I released a version 1.1 with a correction in the ldap search (in fact, I posted the wrong tar.gz on the trac project last time). This version can only do ldap search.

I'm working with simon on the merging of the two projects, so you can also test de pam_yubico-dev.tar.gz available in the downloads page of my trac project. This version has both ldap and file capabilities.

Regards

Zubrick

Top

cmoates

Post subject: Re: pam_yubico_ldap

Posted: Tue Feb 10, 2009 3:34 pm

Joined: Mon Feb 02, 2009 4:12 pm
Posts: 9

Thanks for this. I really hope that we see it merge with the main pam module. I'll try to get some time this week to test against my 64 bit problems (and patches, if necessary) with the original pam code.

Top

zubrick

Post subject: Re: pam_yubico_ldap

Posted: Wed Feb 11, 2009 6:46 pm

Joined: Mon Dec 15, 2008 6:15 pm
Posts: 4

The ldap part as been merged back in pam_yubico.

You can download the 1.11 release on the google code page or update through the google code svn.
Trac project for pam_yubico_ldap will be closed soon. The development of the ldap part will continue directly in the pam_yubico project.

Tell me if you have any problem with the ldap part.

Top

cmoates

Post subject: Re: pam_yubico_ldap

Posted: Wed Feb 11, 2009 8:47 pm

Joined: Mon Feb 02, 2009 4:12 pm
Posts: 9

This is great news! I'll be testing this week and posting any problems I find.

Top

tpohl

Post subject: Re: pam_yubico_ldap

Posted: Fri Mar 20, 2009 7:56 pm

Joined: Fri Mar 20, 2009 7:02 pm
Posts: 3

I just got the pam_yubico module to work with LDAP under 64bit CentOS. I had to make some coding changes (against the 1.11 module) to use the non-deprecated ldap methods. Also, the value of the ldapserver needs to be an LDAP uri (e.g. ldap://localhost/) instead of a hostname. Below is my version of the validate_user_token_ldap method:

Code:

static int
validate_user_token_ldap (const char *ldapserver,
                          const char *ldapdn, const char *user_attr,
                          const char *yubi_attr, const char *user,
                          const char *token_id)
{

  int retval = 0;
#ifdef HAVE_LIBLDAP
  LDAP *ld;
  LDAPMessage *result, *e;
  BerElement *ber;
  char *a;
  struct berval **vals;
  int i, rc;
  /* FIXME: dont' use hard coded buffers here. */
  char find[256] = "";
  char sr[128] = "(";
  char sep[2] = ",";
  char eq[2] = "=";
  char sren[4] = "=*)";



  strcat (find, user_attr);
  strcat (find, eq);
  strcat (find, user);
  strcat (find, sep);
  strcat (find, ldapdn);

  strcat (sr, yubi_attr);
  strcat (sr, sren);

  
  /* Get a handle to an LDAP connection. */
  if (ldap_initialize(&ld,ldapserver) != NULL)
    {
      D (("ldap_init"));
      return (0);
    }

  /* Bind anonymously to the LDAP server. */
  rc = ldap_simple_bind_s (ld, NULL, NULL);

  if (rc != LDAP_SUCCESS)
    {
      D (("ldap_simple_bind_s: %s", ldap_err2string (rc)));
      return (0);
    }
  
  /* Search for the entry. */
  D (("ldap-dn: %s", find));
  D (("ldap-filter: %s", sr));

  if ((rc = ldap_search_ext_s (ld, find, LDAP_SCOPE_BASE,
                               sr, NULL, 0, NULL, NULL, LDAP_NO_LIMIT,
                               LDAP_NO_LIMIT, &result)) != LDAP_SUCCESS)
    {
      D (("ldap_search_ext_s: %s", ldap_err2string (rc)));

      return (0);
    }
  e = ldap_first_entry (ld, result);
  if (e != NULL)
    {

      /* Iterate through each attribute in the entry. */
      for (a = ldap_first_attribute (ld, e, &ber);
           a != NULL; a = ldap_next_attribute (ld, e, ber))
        {
          if ((vals = ldap_get_values_len (ld, e, a)) != NULL)
            {
              for (i = 0; vals[i] != NULL; i++)
                {
                  if (!strncmp (token_id, vals[i]->bv_val, strlen (token_id)))
                    {
                      D (("Token Found :: %s", vals[i]->bv_val));
                      retval = 1;
                    }
                }
              ldap_value_free (vals);
            }
          ldap_memfree (a);
        }
      if (ber != NULL)
        {
          ber_free (ber, 0);
        }

    }

  ldap_msgfree (result);
  ldap_unbind (ld);
#else
  D (("Trying to use LDAP, but this function is not compiled in pam_yubico!!"));
  D (("Install libldap-dev and then recompile pam_yubico."));
#endif
  return retval;
}

Top

fergus

Post subject: Re: pam_yubico_ldap

Posted: Sun Mar 22, 2009 3:06 pm

Joined: Wed Feb 04, 2009 2:08 am
Posts: 16

tpohl,

I have been working on a new yubico-pam patch and would like some help testing with an LDAP setup. I just incorporated your changes, can you please test it out and let me know if it works for you? The configuration has changed a bit, you can read more in this thread, http://forum.yubico.com/viewtopic.php?f=3&t=295.

I am also thinking we should change the setting from ldap_server to ldap_url, thoughts?

Patch is here
http://yubico-squirrelmail-plugin.googlecode.com/files/yubico-pam-1.11-updates5.patch

_________________
richard

Top

zubrick

Post subject: Re: pam_yubico_ldap

Posted: Tue Aug 11, 2009 10:47 am

Joined: Mon Dec 15, 2008 6:15 pm
Posts: 4

Was very busy.

I just commited r186 in the yubico-pam SVN with some of the code of tpohl plus some other corrections.
Now you have to enter a ldap_uri parameter like ldap://localhost instead of a hostname in ldapserver parameter.
ldapserver is not used any more.

Can someone test it on other systems? I only have 32bit Debian servers available.

regards

Zubrick

Top

Page 1 of 1

[ 9 posts ]

Board index » Yubico » Community Projects

All times are UTC + 1 hour

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

pam_yubico_ldap

Share On:

Who is online