Hi,
I have an OpenLDAP server setup, I am just wondering what will happen when I do login if there are two user in different OU but with same uid. I guess PAM is in flat mode, so when I login with the uid, I can always login as one of the two users, and have no chance to login as the other, right?
If that is true, should I add a restriction that the uid of each user must be unique in the whole OpenLDAP server?
Thanks, Qian
Le 28/07/2012 10:43, Qian Zhang a écrit :
Hi,
I have an OpenLDAP server setup, I am just wondering what will happen when I do login if there are two user in different OU but with same uid. I guess PAM is in flat mode, so when I login with the uid, I can always login as one of the two users, and have no chance to login as the other, right?
I've never heard of any PAM module enforcing this kind of restriction.
If that is true, should I add a restriction that the uid of each user must be unique in the whole OpenLDAP server?
That's indeed a good practice.
If that is true, should I add a restriction that the uid of each user must be unique in the whole OpenLDAP server?
That's indeed a good practice.
It depends how you've built your entries. If the RDN has uid in it it will be unique anyway.
Do you use something like cn=My Name,ou=Users,dc=example,dc=com with uid in the entry or uid=ghenry,ou=Users,dc=example,dc=com ?
Thanks.
Do you use something like cn=My Name,ou=Users,dc=example,dc=com with
uid in the entry or uid=ghenry,ou=Users,dc=example,dc=com ?
[Qian] Sorry, I am new to LDAP, can you please let me know how to figure out which way I am using for DN format? By some ldap commands?
BTW, I installed and setup LDAP in a default way, so I guess the DN format should be "uid=ghenry,ou=Users,dc=example,dc=com" because when I login my machine with uid, it works, but if I login with common name, it fails.
2012/7/28 Gavin Henry ghenry@suretecsystems.com:
If that is true, should I add a restriction that the uid of each user must be unique in the whole OpenLDAP server?
That's indeed a good practice.
It depends how you've built your entries. If the RDN has uid in it it will be unique anyway.
Do you use something like cn=My Name,ou=Users,dc=example,dc=com with uid in the entry or uid=ghenry,ou=Users,dc=example,dc=com ?
Thanks.
-- Kind Regards,
Gavin Henry. Managing Director.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie, Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See http://www.surevoip.co.uk
Did you see our API news? http://www.surevoip.co.uk/news-events/surevoip-launches-innovative-api
[Qian] Sorry, I am new to LDAP, can you please let me know how to figure out which way I am using for DN format? By some ldap commands?
BTW, I installed and setup LDAP in a default way, so I guess the DN format should be "uid=ghenry,ou=Users,dc=example,dc=com" because when I login my machine with uid, it works, but if I login with common name, it fails.
http://www.catb.org/~esr/faqs/smart-questions.html as you can find out what RDN is by Google which is quicker than what you wrote.
On Sat, Jul 28, 2012 at 10:34 PM, Qian Zhang zhq527725@gmail.com wrote:
[Qian] Sorry, I am new to LDAP, can you please let me know how to figure out which way I am using for DN format? By some ldap commands?
BTW, I installed and setup LDAP in a default way, so I guess the DN format should be "uid=ghenry,ou=Users,dc=example,dc=com" because when I login my machine with uid, it works, but if I login with common name, it fails.
I don't know what ldap command could be used to find out the DN schema, either. However, there is an open source tool called "LDAP Admin" ( http://www.ldapadmin.org/). You can use this tool to browse the LDAP server and check its DN schema, and re-configure it if you like.
On Mon, 30 Jul 2012, Qiang Xu wrote:
I don't know what ldap command could be used to find out the DN schema, either. However, there is an open source tool called "LDAP Admin"
Typically, OpenLDAP has a subschemaSubentry of "cn=Subschema"; that portion of the DIT contains this information.
Le 30/07/2012 16:52, Aaron Richton a écrit :
On Mon, 30 Jul 2012, Qiang Xu wrote:
I don't know what ldap command could be used to find out the DN schema, either. However, there is an open source tool called "LDAP Admin"
Typically, OpenLDAP has a subschemaSubentry of "cn=Subschema"; that portion of the DIT contains this information.
It lists the available classes and types (the known schemas), which doesn't seems to be the issue here. If the question is 'how is my RDN formed', just querying the directory with ldapsearch should be enough.
On Mon, Jul 30, 2012 at 10:55 AM, Guillaume Rousse guillomovitch@gmail.comwrote:
It lists the available classes and types (the known schemas), which doesn't seems to be the issue here. If the question is 'how is my RDN formed', just querying the directory with ldapsearch should be enough.
What is the specific ldapsearch syntax to query the directory to find the RDN schema, Guillaume? I am also curious at this question.
Le 30/07/2012 17:06, Qiang Xu a écrit :
On Mon, Jul 30, 2012 at 10:55 AM, Guillaume Rousse <guillomovitch@gmail.com mailto:guillomovitch@gmail.com> wrote:
It lists the available classes and types (the known schemas), which doesn't seems to be the issue here. If the question is 'how is my RDN formed', just querying the directory with ldapsearch should be enough.What is the specific ldapsearch syntax to query the directory to find the RDN schema, Guillaume? I am also curious at this question.
No specific syntax. Just get a specific user entry, and check its DN: ldapsearch -x -b <yourbase> uid=<youruid>
On Mon, Jul 30, 2012 at 11:24 AM, Guillaume Rousse guillomovitch@gmail.comwrote:
No specific syntax. Just get a specific user entry, and check its DN: ldapsearch -x -b <yourbase> uid=<youruid>
OK, I see. Just do a generic ldapsearch, right? Simple and effective. Thank you, Guillaume.
Le 29/07/2012 04:34, Qian Zhang a écrit :
Do you use something like cn=My Name,ou=Users,dc=example,dc=com with
uid in the entry or uid=ghenry,ou=Users,dc=example,dc=com ?
[Qian] Sorry, I am new to LDAP, can you please let me know how to figure out which way I am using for DN format? By some ldap commands?
BTW, I installed and setup LDAP in a default way, so I guess the DN format should be "uid=ghenry,ou=Users,dc=example,dc=com" because when I login my machine with uid, it works, but if I login with common name, it fails.
I don't know what could be a default way to setup an LDAP server. And you're basically confusing how is the information stored in the directory (the DIT), and the way your LDAP client (pam_nss or sssd, probably) is interpreting them. Remember than an LDAP is a generic database system, not a dedicated posix account storage system (contrarily to NIS, for instance), meaning they are different ways to achieve the same result. And the fact than your client works as expected doesn't give any hint about your directory content, excepted that it is properly configured.
Just try 'ldapsearch -x -b <yourbase>' to get an idea of your LDAP directory content.
openldap-technical@openldap.org
-
Aaron Richton -
Gavin Henry -
Guillaume Rousse -
Qian Zhang -
Qiang Xu