ldap_mapper for pam_pkcs11

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

ldap_mapper for pam_pkcs11

Dominik Fischer
Hi,

I've finished a first version of the ldap_mapper for pam_pkcs11.
The patch is appended. It also contains a README with my
sample configuration for LDAP and pam_pkcs11.

The code compiles clean (with rev. 138) and the result works fine
for me.

There are some things to do. Most important (I think) is adding
support for SSL connections to the ldap server (ldaps). I'am working
on that.

Please review and possibly test the code. Constructive criticism
is welcome :-)


Kind regards,
Dominik Fischer


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

ldap_mapper.patch (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ldap_mapper for pam_pkcs11

Jonsy (teleline)
El jue, 01-09-2005 a las 19:38 +0200, Dominik Fischer escribió:
> Hi,
>
> I've finished a first version of the ldap_mapper for pam_pkcs11.
> The patch is appended. It also contains a README with my
> sample configuration for LDAP and pam_pkcs11.

Thanks a lot!!!

> Please review and possibly test the code.
> Constructive criticism is welcome :-)

Seems OK. A few quick notes:

1 - The patch only implements the "login match" function.
So we'll need to code the "login find" and "content list" ones.

Login find is easy: just a getpwent() loop, call to ldap server
to retrieve certificate and compare with provided one.
When a match is found, current user will be the one to log in.
( Perhaps we could create a cache at module initialization....
better at next release :-)

Content list is easier: Just extract certificate by mean
of mappers API provided functions

2- No sure on static linking of this mapper: it uses an external
library "libldap" that might not to be included in some scenarios
(ie: "configure --with-curl"). Some changes are needed in
configure and Makefile.am

3- Your LDAP queries only retrieve certificates. Not sure
(I'm not an expert on ldap programming) but should not be
difficult to retrieve "any" certificate content (CN, Subject,
digest, public key or so) as specified in configuration entry.

Anyway it's a real improvement for pam_pkcs11. I'll check it
asap and upload to svn.

Thank you very much for your work
Cheers

Juan Antonio

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ldap_mapper for pam_pkcs11

Roumen Petrov-2
In reply to this post by Dominik Fischer
I think that X.509 certificate match should be done in method ldap_get_certificate.
This will allow method to find certificate when query return more than one.
You can look in x509_by_ldap.c, part of "X.509 certificate support for OpenSSH", to get idea.
Diffs can be found at http://roumenpetrov.info/openssh/download.html - select one for versions 5.1 or 5.2.


Dominik Fischer wrote:

> Hi,
>
> I've finished a first version of the ldap_mapper for pam_pkcs11.
> The patch is appended. It also contains a README with my
> sample configuration for LDAP and pam_pkcs11.
>
> The code compiles clean (with rev. 138) and the result works fine
> for me.
>
> There are some things to do. Most important (I think) is adding
> support for SSL connections to the ldap server (ldaps). I'am working
> on that.
>
> Please review and possibly test the code. Constructive criticism
> is welcome :-)
>
>
> Kind regards,
> Dominik Fischer
>
>
>
ship patch
--
Get X.509 certificates support in OpenSSH:
http://roumenpetrov.info/openssh/
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ldap_mapper for pam_pkcs11

Dominik Fischer
In reply to this post by Jonsy (teleline)
Hi,

Am Donnerstag, den 01.09.2005, 21:15 +0200 schrieb juan antonio
martinez:

> 1 - The patch only implements the "login match" function.
> So we'll need to code the "login find" and "content list" ones.
>
> Login find is easy: just a getpwent() loop, call to ldap server
> to retrieve certificate and compare with provided one.
> When a match is found, current user will be the one to log in.
> ( Perhaps we could create a cache at module initialization....
> better at next release :-)
>
> Content list is easier: Just extract certificate by mean
> of mappers API provided functions

Ok. I will implement both next. Seems not too difficult.

> 2- No sure on static linking of this mapper: it uses an external
> library "libldap" that might not to be included in some scenarios
> (ie: "configure --with-curl"). Some changes are needed in
> configure and Makefile.am

I have no experience with automake... not yet :-)

> 3- Your LDAP queries only retrieve certificates. Not sure
> (I'm not an expert on ldap programming) but should not be
> difficult to retrieve "any" certificate content (CN, Subject,
> digest, public key or so) as specified in configuration entry.

What you can get from ldap depends on the "schemas" you added to
your ldap-server. Usually there are all needed entries from
/etc/passwd, /etc/group, /etc/shadow + extensions (like
usercertificate, email-adress, etc.). You can map entries from
the smartcard-certificate to those.

We should discuss what is needed here.

> Anyway it's a real improvement for pam_pkcs11. I'll check it
> asap and upload to svn.

That would be great!

> Thank you very much for your work

I'm happy if I can help :-)

Regards,

Dominik

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ldap_mapper for pam_pkcs11

Dominik Fischer
In reply to this post by Roumen Petrov-2
Am Donnerstag, den 01.09.2005, 23:38 +0300 schrieb Roumen Petrov:
> I think that X.509 certificate match should be done in method ldap_get_certificate.
> This will allow method to find certificate when query return more than one.
> You can look in x509_by_ldap.c, part of "X.509 certificate support for OpenSSH", to get idea.
> Diffs can be found at http://roumenpetrov.info/openssh/download.html - select one for versions 5.1 or 5.2.

I will take a look at this. Thanks!

Regards,
Dominik

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: ldap_mapper for pam_pkcs11

Dominik Fischer
In reply to this post by Dominik Fischer
Hi,

Am Donnerstag, den 01.09.2005, 23:08 +0200 schrieb Dominik Fischer:

> Hi,
>
> Am Donnerstag, den 01.09.2005, 21:15 +0200 schrieb juan antonio
> martinez:
>
> > 1 - The patch only implements the "login match" function.
> > So we'll need to code the "login find" and "content list" ones.
> >
> > Login find is easy: just a getpwent() loop, call to ldap server
> > to retrieve certificate and compare with provided one.

Hmmm... I thought a little bit about that:

- Assume you have 8500 User - as this is the number of users I'm
  dealing with :-)
- Each certificates size is about 1000 Byte => 8,5MB to receive
- Assume you have a 1MBit/s connection

==> login find will take over 1 minute for that.

And in my case the 1MBit connection is the fast one: there's also
a GPRS connection with round about 50kBit/s |-)Zzzz

If login takes longer than 10-15 seconds, users (at least my users)
power off the system, because they think something went wrong :-)

Btw: I've measured time: From entering login name to PIN
prompt it takes about 10 seconds.

Just to consider.

Regards,
Dominik

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ldap_mapper for pam_pkcs11

Juan Antonio Martinez
El dom, 04-09-2005 a las 12:57 +0200, Dominik Fischer escribió:
> Hi,
[...]

> > > 1 - The patch only implements the "login match" function.
> > > So we'll need to code the "login find" and "content list" ones.
> > >
> > > Login find is easy: just a getpwent() loop, call to ldap server
> > > to retrieve certificate and compare with provided one.
> Hmmm... I thought a little bit about that:
> - Assume you have 8500 User - as this is the number of users I'm
>   dealing with :-)
> - Each certificates size is about 1000 Byte => 8,5MB to receive
> - Assume you have a 1MBit/s connection
> ==> login find will take over 1 minute for that.
[...]

> Just to consider.

Ok, your're right.

I've thought some ways to circumvect this:

- Create a local cache. Not sure on security concerns...
- Don't ask for every getpwent()'s certificate, just call server
'give me the user name that owns this certificate': a sort of
remote mapfile. ( Hey! what's on a database based mapper module? )
- Don't retrieve certificates, just (for instance) signature digests

Anyway, My feeling is release your LDAP module with pam_pkcs11-0.5.3
An then start working deeper in remote certificate mgmnt. Remember
that remote CA's download and PKINIT support are TODO's for 0.6...

Regards
Juan Antonio


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ldap_mapper for pam_pkcs11

Dominik Fischer
Am 5.9.2005 schrieb "Juan Antonio Martinez" <[hidden email]>:
>- Create a local cache. Not sure on security concerns...
>- Don't ask for every getpwent()'s certificate, just call server
>'give me the user name that owns this certificate': a sort of
>remote mapfile. ( Hey! what's on a database based mapper module? )
>- Don't retrieve certificates, just (for instance) signature digests

How about that: Set the searchfilter so that only one entry based on the
certificate from
the smartcard is returned. The certificate from the smartcard is used in
the
searchfilter. The only attribute to be returned by ldap is the uid (which
is the login_name).
So only a little over  1k is transfered.

>
>Anyway, My feeling is release your LDAP module with pam_pkcs11-0.5.3
>An then start working deeper in remote certificate mgmnt. Remember
>that remote CA's download and PKINIT support are TODO's for 0.6...

Fine.

Regards,
Dominik
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel