pam_pkcs11: usepwent, cert_item patch for opensc_mapper and ldap_mapper

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

pam_pkcs11: usepwent, cert_item patch for opensc_mapper and ldap_mapper

Dominik Fischer
Hi,

I've made some improvements to ldap_mapper and opensc_mapper.

With the attached patch they accept to more options: usepwent, cert_item.
Stolen from generic_mapper :-)

I found out, that looping over getpwent() is not that good, if you have
8000+ users defined in your system. Really bad:
the ldap_mapper: makes a ldap_search for every user, until a certificate
matches.

Please review the patch and maybe add it to trunc?

Kind regards
Dominik Fischer
--
GPG-Fingerprint: F44B 9E31 1654 BCB5 6FBA 910F 46E7 F60C EEF1 67BD

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

usepwent-cert_item.patch (9K) Download Attachment
attachment1 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11: usepwent, cert_item patch for opensc_mapper and ldap_mapper

Jonsy (teleline)
El vie, 09-12-2005 a las 18:44 +0100, Dominik Fischer escribió:
> Hi,
> I've made some improvements to ldap_mapper and opensc_mapper.
> With the attached patch they accept to more options: usepwent,
> cert_item. Stolen from generic_mapper :-)

These options have no sense for opensc mapper as it _must_ search
for ${HOME}/.eid/authorized_certificates, that is: the key to
find/match is the certificate itself, not "any" certificate content.

Take a look at AJ's pam_p11 code to see how this mapper should work.

I'll study deeply ldap related patches. Seems promising, as current
code only make ldap queries on certificates, not on cert contents.
This is a pending job that needs to be written...

> I found out, that looping over getpwent() is not that good,
> if you have 8000+ users defined in your system. Really bad:
> the ldap_mapper: makes a ldap_search for every user, until
> a certificate matches.

I agree: it's too hard navigate across 8000+ pw entries to find
the user that owns provided certificate. ODBC mapper ( work in
progress) makes it simple:
"SELECT login FROM certdb WHERE cert='_provided_cert_blob_'; "
But I still need to find a similar way to speedup ldap queries.

In the meantime, please use the "match" feature (just enter login),
instead "find" ( provide emtpy login to let pam module deduce it )

Thanks. Regards
Juan Antonio

PS: Please, please, try to keep patches as simple as possible:
everyone prefer many little patches that change one thing
at a time, rather than one "big brother" that changes everything


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

smime.p7s (2K) Download Attachment