| Anonymous | Login | 2024-04-19 20:01 MDT |
| Main | My View | View Issues | Change Log | Roadmap | Repositories |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0000129 | ClearOS | public | 2010-08-25 11:35 | 2010-10-13 12:59 | |||||
| Reporter | kbrault | ||||||||
| Assigned To | dloper | ||||||||
| Priority | normal | Severity | feature | Reproducibility | always | ||||
| Status | closed | Resolution | won't fix | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 5.2 | ||||||||
| Target Version | Fixed in Version | ||||||||
| Summary | 0000129: LDAP structure does not work well with some apps | ||||||||
| Description | The ClearOS LDAP system uses CN as part of the DN structrue and not UID. This can cause issues with other applications accessing LDAP and with future changes to LDAP user data. Can the LDAP structure be changed from: cn=("First Name" (Space) "Last Name",ou=Users,ou=Accounts,dc=(domain),dc=(domain suffix) to: uid=(logon name),ou=Users,ou=Accounts,dc=(domain),dc=(domain suffix) ? Thank you, Kevin | ||||||||
| Additional Information | Reference: http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,10/func,view/id,10010/#10056 [^] and: http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,10/func,view/id,16120/#16194 [^] | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0000246) user2 2010-08-26 15:03 |
From David Loper - ClearFoundation Developer: One of the basic things that we consider for ClearOS is interoperability. This is key to all of the innovation and design. It would seem that using UID for the DN like Novell eDir does it, OpenDS, Banyan Vines, and a host of other directories do it should be the way to go. Why then would we choose to use the Microsoft and OpenLDAP method. For those who don't have an AD environment let me show you a user record from Active Directory: # Test User, Users, clearos.lan dn: CN=Test User,CN=Users,DC=clearos,DC=lan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Test User sn: User givenName: Test distinguishedName: CN=Test User,CN=Users,DC=clearos,DC=lan instanceType: 4 whenCreated: 20100818193840.0Z whenChanged: 20100818234945.0Z displayName: Test User uSNCreated: 13967 memberOf: CN=Domain Admins,CN=Users,DC=clearos,DC=lan uSNChanged: 13985 name: Test User objectGUID:: fU3cqIct1Eu+Doppki0BMg== userAccountControl: 66048 badPwdCount: 8 codePage: 0 countryCode: 0 badPasswordTime: 129268865011588750 lastLogoff: 0 lastLogon: 129268077974941250 pwdLastSet: 129266482930322500 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAYkr3psLu7qn0zF7bWwQAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 3 sAMAccountName: tuser sAMAccountType: 805306368 userPrincipalName: tuser@clearos.lan objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=clearos,DC=lan Samba is an integral part of ClearOS. It works a lot like NT4.0 but on steroids. It is not quite AD and yet it is far more than NT4.0. The move of Samba from the smbpasswd to LDAP was the one of the key technical pieces between CC 4.3 and 5.0. In designing the directory, great care was used to make sure that the structure of LDAP would correctly handle samba. To do this we mimic much of the bare requirements of Active Directory to ensure that in the future people could not only interoperate, but also potentially migrate to Samba 4. ClearOS has a number of services that all use UID or other attribute primarily for authentication. This includes Postfix, Samba, ProFTPD, SSH, Apache, OpenVPN, PPTPd, and others. All of these connect to COS LDAP and all of them do NOT use the DN for authentication if they did the user would have to use CN=Test User,CN=Users,DC=clearos,DC=lan for his username. It is very likely that the DN has nothing to do with the troubles you are having but rather your application is pulling the CN attribute rather than the uid attribute. (you stated that you could log in as 'Stuart Naylor' which value is NOT 'cn=Stuart Naylor,ou=Users,ou=Accounts,dc=clearos,dc=lan') For instance, if I was this user: # Test User, Users, Accounts, clearos.lan dn: cn=Bob is your uncle,ou=Users,ou=Accounts,dc=clearos,dc=lan uid: tuser cn: Test User I would still need to log in as 'tuser' regardless of the application. Any other required login would represent a misconfiguration of the service and how it pulls authentication from LDAP. PGINA will have instructions on how to connect it to directories other than Active Directory. The reasons are obvious because if you want to connect a workstation to AD then you do so with the Professional version. Very likely it is pulling the CN attribute and not UID. To your point about changing a User's Name. You run into that very problem on all the time. COS is really good about changing a users 'aesthetic' names. This includes the DN, givenName, SN and CN. If someone goes through their name change (religious or otherwise) we can change those names and it does NOT adversely affect the user except at the UID (username)...that does NOT change yet on COS cause it breaks stuff like home directories, permissions, and other things both on ClearOS and on the workstation. So the short answer is that if we change it from CN to UID for the DN then we fix it for everyone using PGina to connect to ClearOS and break it for everyone using Domain Membership. Lastly, CN is more widely recognized by various schemas and objectclasses than is UID. For instance RFC 2256 which describes the 'person' object class, does not recognize UID. |
|
(0000247) user2 2010-08-26 15:05 |
Thank you David Loper for the detailed explanation :-) |
|
(0000248) user2 2010-08-27 09:44 |
And thank you Kevin for bringing this to our attention. We catch a lot of the issues in the forum, but we can't catch them all. |
|
(0000254) kbrault (updater) 2010-08-30 11:26 |
Can't have two users with identical real names (CN's). I have two users named "John Doe". With this structure how can I create accounts? Their account names (logins) have a random number structure (u132645, u987654, etc). Having to modify their CN's is not desireable. Please let me know if you have any sugestions. Thank you |
|
(0000255) user2 2010-08-30 12:02 |
The "identical real names" is the Achilles Heel of this structure and it has always bugged me. Well.. calling it an Achilles Heel is not really accurate since the methodology is still widely used. I guess people use middle names and initials to get around the issue? In the end, it's really a matter of picking our poison. Do we play well with Microsoft / Active Directory / Samba and handle the limitation with using the "real name" in the DN? Or, do we abandon good integration with Microsoft / Active Directory / Samba and use the user ID in the DN? |
|
(0000256) dloper (administrator) 2010-08-30 15:18 |
Implement OUs under the Accounts container, this will be done in future versions of ClearOS. |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2010-08-25 11:35 | kbrault | New Issue | |
| 2010-08-26 15:03 | user2 | Note Added: 0000246 | |
| 2010-08-26 15:04 | user2 | Status | new => assigned |
| 2010-08-26 15:04 | user2 | Assigned To | => dloper |
| 2010-08-26 15:05 | user2 | Note Added: 0000247 | |
| 2010-08-26 15:05 | user2 | Status | assigned => resolved |
| 2010-08-26 15:05 | user2 | Resolution | open => won't fix |
| 2010-08-27 09:44 | user2 | Note Added: 0000248 | |
| 2010-08-30 11:26 | kbrault | Note Added: 0000254 | |
| 2010-08-30 11:26 | kbrault | Status | resolved => feedback |
| 2010-08-30 11:26 | kbrault | Resolution | won't fix => reopened |
| 2010-08-30 12:02 | user2 | Note Added: 0000255 | |
| 2010-08-30 15:18 | dloper | Note Added: 0000256 | |
| 2010-10-13 12:59 | user2 | Status | feedback => closed |
| 2010-10-13 12:59 | user2 | Resolution | reopened => won't fix |
|
Issue History |