Yubico Forum
https://forum.yubico.com/

pam_yubico_ldap
https://forum.yubico.com/viewtopic.php?f=8&t=240
Page 1 of 1

Author:  zubrick [ Fri Jan 23, 2009 5:37 pm ]
Post subject:  pam_yubico_ldap

Please use pam_yubico to have ldap support (v1.11 or later). pam_yubico_ldap is discontinued.
-----
Hello,

For those of you who do not have the patience to manage the yubikeys user list on all their host, an ldap version of pam_yubico is now available on https://trac.number6.ch/pam_yubico_ldap.

It works exactly as pam_yubico, but checks the user-key relation on the ldap server instead of the text file.

Feel free to post tickets or replay to this post if you have any comment or have feature requests regarding ldap stuff in the pam module.

The ldap code will probably be merged in the original pam_yubico project in a near future.

Zubrick

Author:  lucienboland [ Sun Feb 08, 2009 2:38 pm ]
Post subject:  Re: pam_yubico_ldap

Hi Zubrick,

I am a big fan of this LDAP approach for user-key management and will be testing your pam_yubico module variation in the near future.

More comments after I try it out and I will be happy to see it merged into the original pam module code.

Cheers
Lucien

Author:  zubrick [ Mon Feb 09, 2009 12:51 pm ]
Post subject:  Re: pam_yubico_ldap

Hi Lucien,

I released a version 1.1 with a correction in the ldap search (in fact, I posted the wrong tar.gz on the trac project last time). This version can only do ldap search.

I'm working with simon on the merging of the two projects, so you can also test de pam_yubico-dev.tar.gz available in the downloads page of my trac project. This version has both ldap and file capabilities.

Regards

Zubrick

Author:  cmoates [ Tue Feb 10, 2009 3:34 pm ]
Post subject:  Re: pam_yubico_ldap

Thanks for this. I really hope that we see it merge with the main pam module. I'll try to get some time this week to test against my 64 bit problems (and patches, if necessary) with the original pam code.

Author:  zubrick [ Wed Feb 11, 2009 6:46 pm ]
Post subject:  Re: pam_yubico_ldap

The ldap part as been merged back in pam_yubico.

You can download the 1.11 release on the google code page or update through the google code svn.
Trac project for pam_yubico_ldap will be closed soon. The development of the ldap part will continue directly in the pam_yubico project.

Tell me if you have any problem with the ldap part.

Author:  cmoates [ Wed Feb 11, 2009 8:47 pm ]
Post subject:  Re: pam_yubico_ldap

This is great news! I'll be testing this week and posting any problems I find.

Author:  tpohl [ Fri Mar 20, 2009 7:56 pm ]
Post subject:  Re: pam_yubico_ldap

I just got the pam_yubico module to work with LDAP under 64bit CentOS. I had to make some coding changes (against the 1.11 module) to use the non-deprecated ldap methods. Also, the value of the ldapserver needs to be an LDAP uri (e.g. ldap://localhost/) instead of a hostname. Below is my version of the validate_user_token_ldap method:
Code:
static int
validate_user_token_ldap (const char *ldapserver,
                          const char *ldapdn, const char *user_attr,
                          const char *yubi_attr, const char *user,
                          const char *token_id)
{

  int retval = 0;
#ifdef HAVE_LIBLDAP
  LDAP *ld;
  LDAPMessage *result, *e;
  BerElement *ber;
  char *a;
  struct berval **vals;
  int i, rc;
  /* FIXME: dont' use hard coded buffers here. */
  char find[256] = "";
  char sr[128] = "(";
  char sep[2] = ",";
  char eq[2] = "=";
  char sren[4] = "=*)";



  strcat (find, user_attr);
  strcat (find, eq);
  strcat (find, user);
  strcat (find, sep);
  strcat (find, ldapdn);

  strcat (sr, yubi_attr);
  strcat (sr, sren);

 
  /* Get a handle to an LDAP connection. */
  if (ldap_initialize(&ld,ldapserver) != NULL)
    {
      D (("ldap_init"));
      return (0);
    }

  /* Bind anonymously to the LDAP server. */
  rc = ldap_simple_bind_s (ld, NULL, NULL);

  if (rc != LDAP_SUCCESS)
    {
      D (("ldap_simple_bind_s: %s", ldap_err2string (rc)));
      return (0);
    }
 
  /* Search for the entry. */
  D (("ldap-dn: %s", find));
  D (("ldap-filter: %s", sr));

  if ((rc = ldap_search_ext_s (ld, find, LDAP_SCOPE_BASE,
                               sr, NULL, 0, NULL, NULL, LDAP_NO_LIMIT,
                               LDAP_NO_LIMIT, &result)) != LDAP_SUCCESS)
    {
      D (("ldap_search_ext_s: %s", ldap_err2string (rc)));

      return (0);
    }
  e = ldap_first_entry (ld, result);
  if (e != NULL)
    {

      /* Iterate through each attribute in the entry. */
      for (a = ldap_first_attribute (ld, e, &ber);
           a != NULL; a = ldap_next_attribute (ld, e, ber))
        {
          if ((vals = ldap_get_values_len (ld, e, a)) != NULL)
            {
              for (i = 0; vals[i] != NULL; i++)
                {
                  if (!strncmp (token_id, vals[i]->bv_val, strlen (token_id)))
                    {
                      D (("Token Found :: %s", vals[i]->bv_val));
                      retval = 1;
                    }
                }
              ldap_value_free (vals);
            }
          ldap_memfree (a);
        }
      if (ber != NULL)
        {
          ber_free (ber, 0);
        }

    }

  ldap_msgfree (result);
  ldap_unbind (ld);
#else
  D (("Trying to use LDAP, but this function is not compiled in pam_yubico!!"));
  D (("Install libldap-dev and then recompile pam_yubico."));
#endif
  return retval;
}

Author:  fergus [ Sun Mar 22, 2009 3:06 pm ]
Post subject:  Re: pam_yubico_ldap

tpohl,

I have been working on a new yubico-pam patch and would like some help testing with an LDAP setup. I just incorporated your changes, can you please test it out and let me know if it works for you? The configuration has changed a bit, you can read more in this thread, http://forum.yubico.com/viewtopic.php?f=3&t=295.

I am also thinking we should change the setting from ldap_server to ldap_url, thoughts?

Patch is here
http://yubico-squirrelmail-plugin.googlecode.com/files/yubico-pam-1.11-updates5.patch

Author:  zubrick [ Tue Aug 11, 2009 10:47 am ]
Post subject:  Re: pam_yubico_ldap

Was very busy.

I just commited r186 in the yubico-pam SVN with some of the code of tpohl plus some other corrections.
Now you have to enter a ldap_uri parameter like ldap://localhost instead of a hostname in ldapserver parameter.
ldapserver is not used any more.

Can someone test it on other systems? I only have 32bit Debian servers available.

regards

Zubrick

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/