Forum OpenACS Q&A: nsldap with bind support

Collapse
1: nsldap with bind support
Posted by russ m on 04/23/10 03:12 AM
I've just spent an annoying couple of days trying to work out how to get nsldap to do bind authentication against our directory server. In case anyone else is in the same boat and has found that the copy of nsldap at sussdorff.de is 404ing and the version in aolserver CVS (and the debian aolserver4-nsldap) doesn't support bind, Mark Aufflick helpfully posted Malte's diff to the aolserver list a while ago. I'll see if I can nudge it into the aolserver upstream, or at least the debian packages, but in the meantime here it is -

http://www.mail-archive.com/aolserver@listserv.aol.com/msg12073.html

some google-bait for anyone searching on the relevant error messages:

Error: auth::authenticate: error invoking authentication driver for authority_id = 652: ns_ldap: Unknown command"bind": should be bouncepool, connected, disconnect, gethandle, host, password, poolname, releasehandle, or user

Collapse
2: Re: nsldap with bind support (response to 1)
Posted by Gustaf Neumann on 04/23/10 09:59 AM
If you have a chance i would recommend to use PAM (Pluggable Authentication Modules) in connection with the naviserver module nsauthpam written by Vlad Seryakov. PAM allows one to define a hierarchy of different authentication systems. PAM modules (such as pam_ldap, pam_usb, pam_smb, pam_ssh or pam_krb5) are available for many operating system (we use pam_krb5).

The module nsauthpam is implemented for naviserver and uses naviserver's nice API for Tcl argument passing. Victor Guerra has altered argument passing to the good old manual way to compile the module for aolserver as well. If there is interest, we can make this available.

Links:
http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules
http://bitbucket.org/naviserver/nsauthpam/src
http://naviserver.cvs.sourceforge.net/viewvc/naviserver/modules/nsauthpam/

Collapse
3: Re: nsldap with bind support (response to 2)
Posted by Malte Sussdorff on 10/13/10 12:42 PM
We are running into the issue of no bind support now a couple of times and are about to patch the Debian aolserver4-nsldap package to include the bind command. Has maybe anyone else done this already?

But as you recomment using nsauthpam, do you have the code to get this working in AOLserver somewhere so we could compile nsauthpam? Is there documentation for this?

Collapse
4: Re: nsldap with bind support (response to 3)
Posted by Victor Guerra on 10/14/10 12:26 PM
Let me look for the code and I'll upload it to the file-storage so you can have it.