Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 4:01 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: pam_yubico_ldap
PostPosted: Fri Jan 23, 2009 5:37 pm 
Offline

Joined: Mon Dec 15, 2008 6:15 pm
Posts: 4
Please use pam_yubico to have ldap support (v1.11 or later). pam_yubico_ldap is discontinued.
-----
Hello,

For those of you who do not have the patience to manage the yubikeys user list on all their host, an ldap version of pam_yubico is now available on https://trac.number6.ch/pam_yubico_ldap.

It works exactly as pam_yubico, but checks the user-key relation on the ldap server instead of the text file.

Feel free to post tickets or replay to this post if you have any comment or have feature requests regarding ldap stuff in the pam module.

The ldap code will probably be merged in the original pam_yubico project in a near future.

Zubrick


Last edited by zubrick on Wed Feb 11, 2009 6:51 pm, edited 2 times in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

 Post subject: Re: pam_yubico_ldap
PostPosted: Sun Feb 08, 2009 2:38 pm 
Offline

Joined: Thu Feb 05, 2009 2:34 am
Posts: 4
Hi Zubrick,

I am a big fan of this LDAP approach for user-key management and will be testing your pam_yubico module variation in the near future.

More comments after I try it out and I will be happy to see it merged into the original pam module code.

Cheers
Lucien


Top
 Profile  
Reply with quote  
 Post subject: Re: pam_yubico_ldap
PostPosted: Mon Feb 09, 2009 12:51 pm 
Offline

Joined: Mon Dec 15, 2008 6:15 pm
Posts: 4
Hi Lucien,

I released a version 1.1 with a correction in the ldap search (in fact, I posted the wrong tar.gz on the trac project last time). This version can only do ldap search.

I'm working with simon on the merging of the two projects, so you can also test de pam_yubico-dev.tar.gz available in the downloads page of my trac project. This version has both ldap and file capabilities.

Regards

Zubrick


Top
 Profile  
Reply with quote  
 Post subject: Re: pam_yubico_ldap
PostPosted: Tue Feb 10, 2009 3:34 pm 
Offline

Joined: Mon Feb 02, 2009 4:12 pm
Posts: 9
Thanks for this. I really hope that we see it merge with the main pam module. I'll try to get some time this week to test against my 64 bit problems (and patches, if necessary) with the original pam code.


Top
 Profile  
Reply with quote  
 Post subject: Re: pam_yubico_ldap
PostPosted: Wed Feb 11, 2009 6:46 pm 
Offline

Joined: Mon Dec 15, 2008 6:15 pm
Posts: 4
The ldap part as been merged back in pam_yubico.

You can download the 1.11 release on the google code page or update through the google code svn.
Trac project for pam_yubico_ldap will be closed soon. The development of the ldap part will continue directly in the pam_yubico project.

Tell me if you have any problem with the ldap part.


Top
 Profile  
Reply with quote  
 Post subject: Re: pam_yubico_ldap
PostPosted: Wed Feb 11, 2009 8:47 pm 
Offline

Joined: Mon Feb 02, 2009 4:12 pm
Posts: 9
This is great news! I'll be testing this week and posting any problems I find.


Top
 Profile  
Reply with quote  
 Post subject: Re: pam_yubico_ldap
PostPosted: Fri Mar 20, 2009 7:56 pm 
Offline

Joined: Fri Mar 20, 2009 7:02 pm
Posts: 3
I just got the pam_yubico module to work with LDAP under 64bit CentOS. I had to make some coding changes (against the 1.11 module) to use the non-deprecated ldap methods. Also, the value of the ldapserver needs to be an LDAP uri (e.g. ldap://localhost/) instead of a hostname. Below is my version of the validate_user_token_ldap method:
Code:
static int
validate_user_token_ldap (const char *ldapserver,
                          const char *ldapdn, const char *user_attr,
                          const char *yubi_attr, const char *user,
                          const char *token_id)
{

  int retval = 0;
#ifdef HAVE_LIBLDAP
  LDAP *ld;
  LDAPMessage *result, *e;
  BerElement *ber;
  char *a;
  struct berval **vals;
  int i, rc;
  /* FIXME: dont' use hard coded buffers here. */
  char find[256] = "";
  char sr[128] = "(";
  char sep[2] = ",";
  char eq[2] = "=";
  char sren[4] = "=*)";



  strcat (find, user_attr);
  strcat (find, eq);
  strcat (find, user);
  strcat (find, sep);
  strcat (find, ldapdn);

  strcat (sr, yubi_attr);
  strcat (sr, sren);

 
  /* Get a handle to an LDAP connection. */
  if (ldap_initialize(&ld,ldapserver) != NULL)
    {
      D (("ldap_init"));
      return (0);
    }

  /* Bind anonymously to the LDAP server. */
  rc = ldap_simple_bind_s (ld, NULL, NULL);

  if (rc != LDAP_SUCCESS)
    {
      D (("ldap_simple_bind_s: %s", ldap_err2string (rc)));
      return (0);
    }
 
  /* Search for the entry. */
  D (("ldap-dn: %s", find));
  D (("ldap-filter: %s", sr));

  if ((rc = ldap_search_ext_s (ld, find, LDAP_SCOPE_BASE,
                               sr, NULL, 0, NULL, NULL, LDAP_NO_LIMIT,
                               LDAP_NO_LIMIT, &result)) != LDAP_SUCCESS)
    {
      D (("ldap_search_ext_s: %s", ldap_err2string (rc)));

      return (0);
    }
  e = ldap_first_entry (ld, result);
  if (e != NULL)
    {

      /* Iterate through each attribute in the entry. */
      for (a = ldap_first_attribute (ld, e, &ber);
           a != NULL; a = ldap_next_attribute (ld, e, ber))
        {
          if ((vals = ldap_get_values_len (ld, e, a)) != NULL)
            {
              for (i = 0; vals[i] != NULL; i++)
                {
                  if (!strncmp (token_id, vals[i]->bv_val, strlen (token_id)))
                    {
                      D (("Token Found :: %s", vals[i]->bv_val));
                      retval = 1;
                    }
                }
              ldap_value_free (vals);
            }
          ldap_memfree (a);
        }
      if (ber != NULL)
        {
          ber_free (ber, 0);
        }

    }

  ldap_msgfree (result);
  ldap_unbind (ld);
#else
  D (("Trying to use LDAP, but this function is not compiled in pam_yubico!!"));
  D (("Install libldap-dev and then recompile pam_yubico."));
#endif
  return retval;
}


Top
 Profile  
Reply with quote  
 Post subject: Re: pam_yubico_ldap
PostPosted: Sun Mar 22, 2009 3:06 pm 
Offline
User avatar

Joined: Wed Feb 04, 2009 2:08 am
Posts: 16
tpohl,

I have been working on a new yubico-pam patch and would like some help testing with an LDAP setup. I just incorporated your changes, can you please test it out and let me know if it works for you? The configuration has changed a bit, you can read more in this thread, http://forum.yubico.com/viewtopic.php?f=3&t=295.

I am also thinking we should change the setting from ldap_server to ldap_url, thoughts?

Patch is here
http://yubico-squirrelmail-plugin.googlecode.com/files/yubico-pam-1.11-updates5.patch

_________________
richard


Top
 Profile  
Reply with quote  
 Post subject: Re: pam_yubico_ldap
PostPosted: Tue Aug 11, 2009 10:47 am 
Offline

Joined: Mon Dec 15, 2008 6:15 pm
Posts: 4
Was very busy.

I just commited r186 in the yubico-pam SVN with some of the code of tpohl plus some other corrections.
Now you have to enter a ldap_uri parameter like ldap://localhost instead of a hostname in ldapserver parameter.
ldapserver is not used any more.

Can someone test it on other systems? I only have 32bit Debian servers available.

regards

Zubrick


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group