openldap-bugs March 2010

openldap-bugs@openldap.org

31 participants
72 discussions

Re: (ITS#6487) Nssov pam_authz authorizedUserService
by hyc＠symas.com 22 Mar '10

22 Mar '10

Kean Johnston wrote: >> This patch was rejected. The functionality it offered was already >> provided by the slapd ACL engine. > Could I ask you to reconsider your position on using ACL's? Using ACL's for > this kind of thing is a little bit like asking the security guard that > makes your entry badge also be in charge of all of your HR data and > documents. I understand the ACL engine may be quick but it completely > defeats the purpose of having a centralised directory. No, doing anything else defeats that purpose. > What if I want > directory administrators to be able to edit host permissions but I don't > want them to have root so they can edit slapd.conf or change the SLAPD > configuration? So let them edit the host permissions. Delegate the privileges to groups, and give them write access to their respective groups. > what if I cant even use the modern configuration because > overlays I want to use don't support it and I am forced to use slapd.conf? Irrelevant. Using slapd.conf doesn't preclude delegation of privileges or dynamic updates to privilege memberships. > It also moves away from the model of having data about the host in one dn: > cn=host,dc=example,dc=com entry to now having pretty vital information > about the host moved completely out of the directory itself and into the > directory server's configuration. That surely can't be a good thing. On the contrary - for security management, it's the BEST thing. Keeping your authorization rules scattered across the data space not only makes it harder to administer, it also makes it easier to subvert. Keeping it all isolated in a single administrative space negates both of those problems. The key to scalable security is centralized control with distributed access, not distributed control. The more widely you distribute the actual points of control, the more likely you are to make a mistake and open a hole between the points. > What if I want to move from OpenLDAP to some other server? Then you probably should be using nss-pam-ldapd, and not nssov. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour
by hyc＠symas.com 22 Mar '10

22 Mar '10

Kean Johnston wrote: >> Authorization is the job of the ACL engine. Putting ad-hoc rules into >> user entries is, in a word, stupid. It's also unscaleable and will >> become an administration nightmare. > Well OK then. Using a configuration mechanism like ACL's that cannot be > distributed to multiple users (like editing a directory can) is, in a word, > stupid. It is also unscaleable and will become an administration nightmare. > And authorisation is not (or SHOULD not be) the job of ACL's its the job of > authorisation modules, which nssov is. > > Being forced to give admins who simply want to be able to change access to > a random host in a centralised server root access to what may be a critical > server with other sensitive data on it is simply wrong. You seem to be laboring under the false premise that root privileges are required to administer authorization in slapd. Since that is false, the rest of your statements are moot. >> The user host attribute functionality is deprecated. I have no desire to >> make it even vaguely appear to be useful. > Then don't sell it as one. You claim pam_ldap compatibility but that is > false. The user docs also aren't nearly as strongly worded, saying that the > hostserver and ACL's is preferable, not that userhost is deprecated. > A flexible solution gives administrators the opportunity to use the tool in > ways you haven't conceived of because it works for them and their > environment. A ridgid and dictatorial tool forces people to do things one > way and one way only. I have worked for one of the larger software > companies and can tell you that the ACL mechanism would scale orders of > magnitude worse, and they did, in fact have authorisation info stored in > user and host attributes because that was the only way to delegate > responsibility to multiple groups. That may have been true of that other software package. That is not true here. > PS, you may wanna consider dropping the Ulrich Drepper attitude. When a > contributor, especially a first time one, who has gone to considerable > lengths to follow all the guidelines and do things just your way has, as > his first experience someone calling things "stupid" ... well, that will > thin the development herd considerably. No, I should rather step it up a notch. I don't want contributions from J. Random Developer. I want contributions from people who participate in the community. That means reading up on how things are done, following the established practices, and demonstrating a familiarity with the way things are done and establishing a familiarity with the other community members. That means showing that you'll take the time to stick around and continue to maintain/support your code if we pull it in. If a developer won't put that time in up front, then I don't care how good their code is; I don't want to be saddled with it when they inevitably disappear. The established practice for contributing new code is to discuss it on the openldap-devel mailing list first, before spending any time on actual coding. After the developer community gets a chance to think about it and weigh in on whether it's a good idea or not, then you start (or don't start) writing the code and submitting to the ITS. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour
by kean.johnston＠gmail.com 22 Mar '10

22 Mar '10

> Authorization is the job of the ACL engine. Putting ad-hoc rules into > user entries is, in a word, stupid. It's also unscaleable and will > become an administration nightmare. Well OK then. Using a configuration mechanism like ACL's that cannot be distributed to multiple users (like editing a directory can) is, in a word, stupid. It is also unscaleable and will become an administration nightmare. And authorisation is not (or SHOULD not be) the job of ACL's its the job of authorisation modules, which nssov is. Being forced to give admins who simply want to be able to change access to a random host in a centralised server root access to what may be a critical server with other sensitive data on it is simply wrong. > The user host attribute functionality is deprecated. I have no desire to > make it even vaguely appear to be useful. Then don't sell it as one. You claim pam_ldap compatibility but that is false. The user docs also aren't nearly as strongly worded, saying that the hostserver and ACL's is preferable, not that userhost is deprecated. A flexible solution gives administrators the opportunity to use the tool in ways you haven't conceived of because it works for them and their environment. A ridgid and dictatorial tool forces people to do things one way and one way only. I have worked for one of the larger software companies and can tell you that the ACL mechanism would scale orders of magnitude worse, and they did, in fact have authorisation info stored in user and host attributes because that was the only way to delegate responsibility to multiple groups. PS, you may wanna consider dropping the Ulrich Drepper attitude. When a contributor, especially a first time one, who has gone to considerable lengths to follow all the guidelines and do things just your way has, as his first experience someone calling things "stupid" ... well, that will thin the development herd considerably.

1 0

Re: (ITS#6487) Nssov pam_authz authorizedUserService
by kean.johnston＠gmail.com 22 Mar '10

22 Mar '10

> This patch was rejected. The functionality it offered was already > provided by the slapd ACL engine. Could I ask you to reconsider your position on using ACL's? Using ACL's for this kind of thing is a little bit like asking the security guard that makes your entry badge also be in charge of all of your HR data and documents. I understand the ACL engine may be quick but it completely defeats the purpose of having a centralised directory. What if I want directory administrators to be able to edit host permissions but I don't want them to have root so they can edit slapd.conf or change the SLAPD configuration? what if I cant even use the modern configuration because overlays I want to use don't support it and I am forced to use slapd.conf? It also moves away from the model of having data about the host in one dn: cn=host,dc=example,dc=com entry to now having pretty vital information about the host moved completely out of the directory itself and into the directory server's configuration. That surely can't be a good thing. What if I want to move from OpenLDAP to some other server? Kean

1 0

Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour
by hyc＠symas.com 21 Mar '10

21 Mar '10

kean.johnston(a)gmail.com wrote: > Full_Name: Kean Johnston > Version: HEAD > OS: Linux (CentOS 5.3) > URL: ftp://ftp.openldap.org/incoming/kean-johnston-100321.patch > Submission from: (NULL) (196.210.34.161) > > > The nssov manual page states that some of it's options "duplicates the original > pam_ldap authorization behavior". However, they don't quite. pam_ldap has the > ability for you to use "wildcards" in a user's host: attribute. I say > "wildcards" in quotes because the pam_ldap implementation does not actually use > regex matching, but rather check for two special strings, "*" and "!". > > The ability to use actual wildcards, especially ones you can negate, on a per > user basis is extremely useful to an administrator of large networks. For > example you may want all developers to have access to the machines in > developers.mydomain.com but you want to disallow access to some of those > machines to contractors or interns. > > This patch allows such behaviour, so it serves the dual purpose of actually > implementing existing pam_ldap behaviour in case people already depend on that, > as well as extends it to be a more generally usable feature by using actual > regular expressions. The code is simple, and the man page change describes it > well enough. Please consider adding this code to nssov. Thank you. > Authorization is the job of the ACL engine. Putting ad-hoc rules into user entries is, in a word, stupid. It's also unscaleable and will become an administration nightmare. The user host attribute functionality is deprecated. I have no desire to make it even vaguely appear to be useful. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6487) Nssov pam_authz authorizedUserService
by hyc＠symas.com 21 Mar '10

21 Mar '10

kean.johnston(a)gmail.com wrote: > I like what this offers administrators but I have a comment about how you > handle "wildcards". They aren't wild at all, but "magic strings" with only > one possible meaning: all users/services with the single magic character > "*". If you have a defined user naming convention like i_whatever for > interns and c_whatever for contractors, it would be useful to be able to > either include or exclude such users from using certain services. > > My patch at http://www.openldap.org/its/index.cgi?findid=6495 does this for > userhost and userservices attributes, and includes negation. Would you be > interested in working with me to expand this to support real wildcards? > Also I suggest you make this two patches, as the patch submission > guidelines clearly state that one patch for 1 feature, and the meaty parts > of this are obfuscated by increasing the buffer sizes which should probably > be in a separate patch. > > Regards, Kean This patch was rejected. The functionality it offered was already provided by the slapd ACL engine. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6487) Nssov pam_authz authorizedUserService
by kean.johnston＠gmail.com 21 Mar '10

21 Mar '10

I like what this offers administrators but I have a comment about how you handle "wildcards". They aren't wild at all, but "magic strings" with only one possible meaning: all users/services with the single magic character "*". If you have a defined user naming convention like i_whatever for interns and c_whatever for contractors, it would be useful to be able to either include or exclude such users from using certain services. My patch at http://www.openldap.org/its/index.cgi?findid=6495 does this for userhost and userservices attributes, and includes negation. Would you be interested in working with me to expand this to support real wildcards? Also I suggest you make this two patches, as the patch submission guidelines clearly state that one patch for 1 feature, and the meaty parts of this are obfuscated by increasing the buffer sizes which should probably be in a separate patch. Regards, Kean

1 0

Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour
by kean.johnston＠gmail.com 21 Mar '10

21 Mar '10

ftp.openldap.org reports no space on the device, so the URL for the patch is at: http://64.34.163.232/openldap/kean-johnston-100321.patch

1 0

(ITS#6496) nssov patch to better emulate pam_ldap behaviour
by kean.johnston＠gmail.com 21 Mar '10

21 Mar '10

Full_Name: Kean Johnston Version: HEAD OS: Linux (CentOS 5.3) URL: ftp://ftp.openldap.org/incoming/kean-johnston-100321.patch Submission from: (NULL) (196.210.34.161) The nssov manual page states that some of it's options "duplicates the original pam_ldap authorization behavior". However, they don't quite. pam_ldap has the ability for you to use "wildcards" in a user's host: attribute. I say "wildcards" in quotes because the pam_ldap implementation does not actually use regex matching, but rather check for two special strings, "*" and "!". The ability to use actual wildcards, especially ones you can negate, on a per user basis is extremely useful to an administrator of large networks. For example you may want all developers to have access to the machines in developers.mydomain.com but you want to disallow access to some of those machines to contractors or interns. This patch allows such behaviour, so it serves the dual purpose of actually implementing existing pam_ldap behaviour in case people already depend on that, as well as extends it to be a more generally usable feature by using actual regular expressions. The code is simple, and the man page change describes it well enough. Please consider adding this code to nssov. Thank you.

1 0

(ITS#6495) nssov patch to better emulate pam_ldap behaviour
by kean.johnston＠gmail.com 21 Mar '10

21 Mar '10

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs March 2010