Re: [hylafax-users] PAM authentication and JobProtection

[Joshua Kinard <jkinard@xxxxxxxxxxx>]

It's been a few years since I've worked with the LDAP code.  It was developed/tested against a Novell eDirectory system, but I ultimately gave up on using it.  A lot of the Windows-based fax clients just didn't play very nice, and debugging took up too much time.

 

But, from what I can recall from memory, the LDAP code is really simple.  It basically tests for availability of the LDAP server, tests that it can access the directory, and tests the user's membership to see if it's in an allowed group to send a fax.  Changing that shouldn't take too much effort, including the "groupMembership" string.

 

There's a lot of room for improvement, as the original patch was one I scrounged off of Google and updated to fit with the then-current release of HylaFax (which I think was 5.2.2).

 

HTH,

 

--J

 

---

From: Lee Howard [faxguy@xxxxxxxxxxxxxxxx]
Sent: Friday, December 10, 2010 11:00 AM
To: Giuseppe Sacco; Joshua Kinard
Cc: hylafax-users@xxxxxxxxxxx
Subject: Re: [hylafax-users] PAM authentication and JobProtection

Giuseppe Sacco wrote:
> Hi Lee,
> thanks for your prompt reply.
>
> Il giorno gio, 09/12/2010 alle 21.14 -0800, Lee Howard ha scritto:
> [...]
>  
>> Consequently for this to be resolved hfaxd would need to automatically
>> add entries to hosts.hfaxd (or some other database/table/file) which
>> could be used to assign unique uid/gid to each user, but which would not
>> replace or interfere with future authentications.  So some development
>> would be required to enhance and expand hfaxd to do this.
>>    
>
> Do you think a new attribute in ldap would help? I mean, it would be
> possibile to add a faxGroup attribute to the currently used LDAP schema
> (is it posixUser?) and use it as hylafax uid? Of course it will not be
> usable via PAM, but it could be used when hylafax+ directly access LDAP.
>  

Yes, this is certainly possible, but I think it requires code
development work.  And in my way of thinking if someone is going to do
some development work for this then that could be best-spent
implementing a feature that works for all authentication methods (both
PAM and LDAP).  So that's how I'd spend *my* time trying to resolve it
rather than developing something specific to LDAP.

I've added Joshua Kinard, the HylaFAX+ LDAP contributor, to this e-mail.

Joshua, with the current LDAP implementation in HylaFAX+ does hfaxd get
some kind of unique per-user uid or gid and then pass that back to
hfaxd?  (Forgive me for not re-examining the code.)  If not, do you have
any opinions on its implementation?

> Moreover, I just checked ldap authentication in hylafax+ source code.
> From what I understand, this only works on LDAP schema that have a
> groupMembership (is it Novell eDirectory schema?).

I think it was developed for Microsoft Active Directory and also Novell.

> It would not work on
> posixGroup as they use memberUid attribute instead. Is it correct?

I don't know the answer to this question, but by all means the feature
could be expanded.

Thanks,

Lee.