ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000129ClearOSpublic2010-08-25 11:352010-10-13 12:59
Reporterkbrault 
Assigned Todloper 
PrioritynormalSeverityfeatureReproducibilityalways
StatusclosedResolutionwon't fix 
PlatformOSOS Version
Product Version5.2 
Target VersionFixed in Version 
Summary0000129: LDAP structure does not work well with some apps
DescriptionThe ClearOS LDAP system uses CN as part of the DN structrue and not UID. This can cause issues with other applications accessing LDAP and with future changes to LDAP user data.

Can the LDAP structure be changed from:

cn=("First Name" (Space) "Last Name",ou=Users,ou=Accounts,dc=(domain),dc=(domain suffix)

to:

uid=(logon name),ou=Users,ou=Accounts,dc=(domain),dc=(domain suffix)

?

Thank you,

Kevin
Additional InformationReference:

http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,10/func,view/id,10010/#10056 [^]

and:

http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,10/func,view/id,16120/#16194 [^]
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0000246)
user2
2010-08-26 15:03

From David Loper - ClearFoundation Developer:

One of the basic things that we consider for ClearOS is interoperability. This is key to all of the innovation and design. It would seem that using UID for the DN like Novell eDir does it, OpenDS, Banyan Vines, and a host of other directories do it should be the way to go. Why then would we choose to use the Microsoft and OpenLDAP method. For those who don't have an AD environment let me show you a user record from Active Directory:

# Test User, Users, clearos.lan
dn: CN=Test User,CN=Users,DC=clearos,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Test User
sn: User
givenName: Test
distinguishedName: CN=Test User,CN=Users,DC=clearos,DC=lan
instanceType: 4
whenCreated: 20100818193840.0Z
whenChanged: 20100818234945.0Z
displayName: Test User
uSNCreated: 13967
memberOf: CN=Domain Admins,CN=Users,DC=clearos,DC=lan
uSNChanged: 13985
name: Test User
objectGUID:: fU3cqIct1Eu+Doppki0BMg==
userAccountControl: 66048
badPwdCount: 8
codePage: 0
countryCode: 0
badPasswordTime: 129268865011588750
lastLogoff: 0
lastLogon: 129268077974941250
pwdLastSet: 129266482930322500
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAYkr3psLu7qn0zF7bWwQAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 3
sAMAccountName: tuser
sAMAccountType: 805306368
userPrincipalName: tuser@clearos.lan
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=clearos,DC=lan

Samba is an integral part of ClearOS. It works a lot like NT4.0 but on steroids. It is not quite AD and yet it is far more than NT4.0. The move of Samba from the smbpasswd to LDAP was the one of the key technical pieces between CC 4.3 and 5.0. In designing the directory, great care was used to make sure that the structure of LDAP would correctly handle samba. To do this we mimic much of the bare requirements of Active Directory to ensure that in the future people could not only interoperate, but also potentially migrate to Samba 4.

ClearOS has a number of services that all use UID or other attribute primarily for authentication. This includes Postfix, Samba, ProFTPD, SSH, Apache, OpenVPN, PPTPd, and others. All of these connect to COS LDAP and all of them do NOT use the DN for authentication if they did the user would have to use CN=Test User,CN=Users,DC=clearos,DC=lan for his username. It is very likely that the DN has nothing to do with the troubles you are having but rather your application is pulling the CN attribute rather than the uid attribute. (you stated that you could log in as 'Stuart Naylor' which value is NOT 'cn=Stuart Naylor,ou=Users,ou=Accounts,dc=clearos,dc=lan')

For instance, if I was this user:

# Test User, Users, Accounts, clearos.lan
dn: cn=Bob is your uncle,ou=Users,ou=Accounts,dc=clearos,dc=lan
uid: tuser
cn: Test User

I would still need to log in as 'tuser' regardless of the application. Any other required login would represent a misconfiguration of the service and how it pulls authentication from LDAP.

PGINA will have instructions on how to connect it to directories other than Active Directory. The reasons are obvious because if you want to connect a workstation to AD then you do so with the Professional version. Very likely it is pulling the CN attribute and not UID.

To your point about changing a User's Name. You run into that very problem on all the time. COS is really good about changing a users 'aesthetic' names. This includes the DN, givenName, SN and CN. If someone goes through their name change (religious or otherwise) we can change those names and it does NOT adversely affect the user except at the UID (username)...that does NOT change yet on COS cause it breaks stuff like home directories, permissions, and other things both on ClearOS and on the workstation.

So the short answer is that if we change it from CN to UID for the DN then we fix it for everyone using PGina to connect to ClearOS and break it for everyone using Domain Membership.

Lastly, CN is more widely recognized by various schemas and objectclasses than is UID. For instance RFC 2256 which describes the 'person' object class, does not recognize UID.
(0000247)
user2
2010-08-26 15:05

Thank you David Loper for the detailed explanation :-)
(0000248)
user2
2010-08-27 09:44

And thank you Kevin for bringing this to our attention. We catch a lot of the issues in the forum, but we can't catch them all.
(0000254)
kbrault (updater)
2010-08-30 11:26

Can't have two users with identical real names (CN's).

I have two users named "John Doe". With this structure how can I create accounts? Their account names (logins) have a random number structure (u132645, u987654, etc). Having to modify their CN's is not desireable.

Please let me know if you have any sugestions.

Thank you
(0000255)
user2
2010-08-30 12:02

The "identical real names" is the Achilles Heel of this structure and it has always bugged me. Well.. calling it an Achilles Heel is not really accurate since the methodology is still widely used. I guess people use middle names and initials to get around the issue?

In the end, it's really a matter of picking our poison. Do we play well with Microsoft / Active Directory / Samba and handle the limitation with using the "real name" in the DN? Or, do we abandon good integration with Microsoft / Active Directory / Samba and use the user ID in the DN?
(0000256)
dloper (administrator)
2010-08-30 15:18

Implement OUs under the Accounts container, this will be done in future versions of ClearOS.

- Issue History
Date Modified Username Field Change
2010-08-25 11:35 kbrault New Issue
2010-08-26 15:03 user2 Note Added: 0000246
2010-08-26 15:04 user2 Status new => assigned
2010-08-26 15:04 user2 Assigned To => dloper
2010-08-26 15:05 user2 Note Added: 0000247
2010-08-26 15:05 user2 Status assigned => resolved
2010-08-26 15:05 user2 Resolution open => won't fix
2010-08-27 09:44 user2 Note Added: 0000248
2010-08-30 11:26 kbrault Note Added: 0000254
2010-08-30 11:26 kbrault Status resolved => feedback
2010-08-30 11:26 kbrault Resolution won't fix => reopened
2010-08-30 12:02 user2 Note Added: 0000255
2010-08-30 15:18 dloper Note Added: 0000256
2010-10-13 12:59 user2 Status feedback => closed
2010-10-13 12:59 user2 Resolution reopened => won't fix