{"id":2534,"date":"2021-05-27T08:00:10","date_gmt":"2021-05-27T06:00:10","guid":{"rendered":"https:\/\/possiblelossofprecision.net\/?p=2534"},"modified":"2022-02-15T12:31:43","modified_gmt":"2022-02-15T10:31:43","slug":"ldap-server-with-389ds-part-2-quality-of-life-plugins","status":"publish","type":"post","link":"https:\/\/possiblelossofprecision.net\/?p=2534","title":{"rendered":"LDAP server with 389ds: Part 2 &#8211; Quality-of-life plugins"},"content":{"rendered":"<p>In <a href=\"https:\/\/possiblelossofprecision.net\/?p=2519\">part 1<\/a> we&#8217;ve looked at how to install <a href=\"https:\/\/directory.fedoraproject.org\/\">389 Directory Server<\/a> and create an instance. While this left us with a fully working LDAP server there are some plugins that greatly increase quality of life and might even be considered essential.<\/p>\n<p><!--more--><\/p>\n<h2>3. Plugins<\/h2>\n<h3>3.1. Attribute Uniqueness<\/h3>\n<p>Certain attributes can have duplicate values within a directory. A simple example is a user&#8217;s first name which is stored in the <code>givenName<\/code> attribute. In a directory with a sufficiently large number of users it&#8217;s more likely than not that there are two or more users with the same first name.<br \/>\nBut how about a user&#8217;s email address? If the <code>mail<\/code> attribute wasn&#8217;t unique within the whole directory this could lead to some trouble when delivering emails to a user&#8217;s inbox. Of course, a directory administrator might be careful when creating new users and ensure that each user has their own, unique email address. But humans make mistakes and checking manually if a certain email address is not already used is cumbersome at least.<\/p>\n<p>The 389 directory server has a built-in plugin that can guarantee the uniqueness of attributes across the entire directory information tree (DIT) or even just certain subtrees. It can be conveniently configured and enabled through <code>dsconf<\/code>.<br \/>\nLet&#8217;s say we wanted to guarantee that email addresses are unique across our whole <code>dc=example,dc=com<\/code> tree, we would run:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ndsconf localhost plugin attr-uniq add &quot;mail attribute uniqueness&quot; --attr-name mail --subtree &quot;dc=example,dc=com&quot;\r\ndsconf localhost plugin attr-uniq enable &quot;mail attribute uniqueness&quot;\r\n<\/pre>\n<p>Other very commonly unique attributes are a user&#8217;s ID (<code>uid<\/code>), uid number (the integer uniquely identifying a user, <code>uidNumber<\/code>) and gid number (the integer uniquely identifying a user&#8217;s primary group, <code>gidNumber<\/code>). This is not a exhaustive list, of course, and which attributes are unique in a directory may very well depend on the use case. But together with the <code>mail<\/code> attribute it&#8217;s probably a good starting point:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ndsconf localhost plugin attr-uniq add &quot;mail attribute uniqueness&quot; --attr-name mail --subtree &quot;dc=example,dc=com&quot;\r\ndsconf localhost plugin attr-uniq add &quot;uid attribute uniqueness&quot; --attr-name uid --subtree &quot;dc=example,dc=com&quot;\r\ndsconf localhost plugin attr-uniq add &quot;uidNumber attribute uniqueness&quot; --attr-name uidNumber --subtree &quot;dc=example,dc=com&quot;\r\ndsconf localhost plugin attr-uniq add &quot;gidNumber attribute uniqueness&quot; --attr-name gidNumber --subtree &quot;dc=example,dc=com&quot;\r\ndsconf localhost plugin attr-uniq enable &quot;mail attribute uniqueness&quot;\r\ndsconf localhost plugin attr-uniq enable &quot;uid attribute uniqueness&quot;\r\ndsconf localhost plugin attr-uniq enable &quot;uidNumber attribute uniqueness&quot;\r\ndsconf localhost plugin attr-uniq enable &quot;gidNumber attribute uniqueness&quot;\r\n<\/pre>\n<p>The <code>attr-uniq<\/code> plugin can also ensure uniqueness of values across multiple attributes. That&#8217;s called <em>Multi Valued Uniqueness<\/em> and is <a href=\"https:\/\/directory.fedoraproject.org\/docs\/389ds\/howto\/howto-uid-uniqueness.html\">done by specifying multiple attribute names<\/a>:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ndsconf localhost plugin attr-uniq add &quot;mail attribute uniqueness&quot; --attr-name mail --attr-name mailAlternateAddress --subtree &quot;dc=example,dc=com&quot;\r\n<\/pre>\n<p>Note that the 389ds instance has to be restarted in order for the plugin to work (even though it was enabled through <code>dsconf<\/code>:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ndsctl localhost restart\r\n<\/pre>\n<h3>3.2. Distributed Numeric Assignment<\/h3>\n<p>Similarly to manually checking for certain attributes to be unique it&#8217;s cumbersome to manually assign and manage <code>uidNumber<\/code> and <code>gidNumber<\/code> attributes. Fortunately this can be automatically handled by the <a href=\"https:\/\/directory.fedoraproject.org\/docs\/389ds\/design\/dna-plugin.html\">Distributed Numeric Assignment (DNA) plugin<\/a>.<\/p>\n<p>The plugin settings can be configured through <code>dsconf<\/code> again:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ndsconf localhost plugin dna config &quot;Account IDs&quot; add \\\r\n  --type gidNumber uidNumber \\\r\n  --filter &quot;(objectclass=posixAccount)&quot; \\\r\n  --scope ou=People,dc=example,dc=com \\\r\n  --next-value 1001 \\\r\n  --magic-regen -1\r\n<\/pre>\n<p>The parameters should be quite self-explanatory. Here&#8217;s a quick overview anyway:<\/p>\n<ul>\n<li>\n    <code>--type gidNumber uidNumber<\/code><br \/>\n    the DNA plugin should manage the attributes <code>gidNumber<\/code> and <code>uidNumber<\/code> (from the same range)\n  <\/li>\n<li>\n    <code>--filter \"(objectclass=posixAccount)\"<\/code><br \/>\n    it should be limited to <code>posixAccount<\/code> objects\n  <\/li>\n<li>\n    <code>--scope ou=People,dc=example,dc=com<\/code><br \/>\n    only objects in the specified subtree should be managed\n  <\/li>\n<li>\n    <code>--next-value 1001<\/code><br \/>\n    the next value that&#8217;s going to be assigned\n  <\/li>\n<li>\n    <code>--magic-regen -1<\/code><br \/>\n    magic number to tell the DNA plugin that an object&#8217;s <code>gidNumber<\/code> or <code>uidNumber<\/code> should be automatically assigned\n  <\/li>\n<\/ul>\n<p>After enabling the plugin and restarting the 389ds instance<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ndsconf localhost plugin dna enable\r\ndsctl localhost restart\r\n<\/pre>\n<p>the DNA plugin will automatically reassign <code>uidNumber<\/code> and <code>gidNumber<\/code> attributes if they&#8217;re <code>-1<\/code><\/p>\n<pre class=\"brush: bash; highlight: [6,7,11,12]; title: ; notranslate\" title=\"\">\r\n# dsidm -b &quot;dc=example,dc=com&quot; localhost user create \\\r\n  --uid eve \\\r\n  --cn Eve \\\r\n  --displayName Eve \\\r\n  --homeDirectory &quot;\/home\/eve&quot; \\\r\n  --uidNumber -1 \\\r\n  --gidNumber -1\r\nSuccessfully created eve\r\n# ldapsearch -LLL -x -b &quot;dc=example,dc=com&quot; &quot;(uid=eve)&quot; uidNumber gidNumber\r\ndn: uid=eve,ou=people,dc=example,dc=com\r\nuidNumber: 1001\r\ngidNumber: 1001\r\n<\/pre>\n<p>You can, however, still specify <code>uidNumber<\/code> or <code>gidNumber<\/code> attributes manually by using a value that&#8217;s different from the configured magic number (<code>-1<\/code> in the example above). The magic number itself is arbitrary and doesn&#8217;t need to be <code>-1<\/code> at all.<\/p>\n<p>For more details on the DNA plugin have a look at the <a href=\"https:\/\/access.redhat.com\/documentation\/en-us\/red_hat_directory_server\/11\/html\/administration_guide\/dna\">Redhat Directory Server 11 (RHDS11) Administration Guide<\/a> or the <a href=\"https:\/\/directory.fedoraproject.org\/docs\/389ds\/design\/dna-plugin.html\">389ds documentation<\/a>, especially when using it in setups that use replication.<\/p>\n<h3>3.3. MemberOf<\/h3>\n<p>There are two ways how group membership of users can be stored. One can either save a list of members in each group object. That&#8217;s how it is done traditionally and is described in <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc2307\">RFC2307<\/a>:<\/p>\n<p><center><div id=\"attachment_2540\" style=\"width: 560px\" class=\"wp-caption aligncenter\"><a data-rokbox href=\"wordpress\/wp-content\/uploads\/2021\/05\/RFC2307.png\" data-rokbox-album=\"p2534\" data-rokbox-caption=\"members being stored as group attributes according to RFC2307\"><img decoding=\"async\" aria-describedby=\"caption-attachment-2540\" src=\"wordpress\/wp-content\/uploads\/2021\/05\/RFC2307-550x239.png\" alt=\"\" \/><\/a><p id=\"caption-attachment-2540\" class=\"wp-caption-text\">members being stored as group attributes according to RFC2307<\/p><\/div><\/center><\/p>\n<p>Or one can store each group that a given user is a member of in the user object (<a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/draft-howard-rfc2307bis-01\">RFC2307bis<\/a>):<\/p>\n<p><center><div id=\"attachment_2541\" style=\"width: 560px\" class=\"wp-caption aligncenter\"><a data-rokbox href=\"wordpress\/wp-content\/uploads\/2021\/05\/RFC2307bis.png\" data-rokbox-album=\"p2534\" data-rokbox-caption=\"group membership being stored as attribute in a user object (RFC2307bis)\" ><img decoding=\"async\" aria-describedby=\"caption-attachment-2541\" src=\"wordpress\/wp-content\/uploads\/2021\/05\/RFC2307bis-550x239.png\" alt=\"\"  \/><\/a><p id=\"caption-attachment-2541\" class=\"wp-caption-text\">group membership being stored as attribute in a user object (RFC2307bis)<\/p><\/div><\/center><\/p>\n<p>Querying an LDAP server that uses RFC2307 (sometimes also referred to as <em>posix schema<\/em>) if a certain user is authorised to access a particular resource is a two-step process: The first query searches for the user object (e.g. a user named <em>Bob<\/em>) and the second query checks if the user object&#8217;s <code>uid<\/code> attribute matches one of the entries in the relevant group object (e.g. if the group <em>blog_users<\/em> has an attribute <code>memberUID<\/code> that matches Bob&#8217;s uid).<br \/>\nA lot of software supports this, e.g. have a look at <a href=\"https:\/\/grafana.com\/docs\/grafana\/latest\/auth\/ldap\/#posix-schema\">Grafana&#8217;s LDAP auth module<\/a>. It has a <code>search_filter<\/code> parameter that let&#8217;s you query for a particular user and an additional <code>group_search_filter<\/code> parameter that filters out users that are not a member of a particular group.<\/p>\n<p>However, that&#8217;s not always the case, e.g. <a href=\"http:\/\/www.postfix.org\/LDAP_README.html\">postfix<\/a> or <a href=\"https:\/\/doc.dovecot.org\/configuration_manual\/authentication\/ldap\/\">dovecot<\/a> do not have an additional group filter. The advantage of the RFC2307bis schema is (among other things) that checking user authorisation can be done in a single query, for example:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nldapsearch -LLL -x -b &quot;dc=example,dc=com&quot; \\\r\n  &quot;(&amp;(uid=eve)(memberOf=cn=cncuser,ou=groups,dc=example,dc=com))&quot; mail\r\ndn: uid=eve,ou=people,dc=example,dc=com\r\nmail: eve@example.com\r\n<\/pre>\n<p>389ds uses a combination of these two schemas so it stays compatible with both. The <em>memberOf<\/em> plugin can automatically update a user object&#8217;s <code>memberOf<\/code> attributes whenever the group membership status is changed. Once again it can be enabled through <code>dsctl<\/code>:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ndsconf localhost plugin memberof enable\r\ndsctl localhost restart\r\n<\/pre>\n<p>Note that additonally group members will still be listed as multi-valued attributes in the group object (according to the RFC2307 schema). So you can decide depending on the user case wether to use the <code>memberOf<\/code> filter or two queries to check if a user is authorised to access your resource.<\/p>\n<h3>3.4. Referential Integrity<\/h3>\n<p>In general, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Referential_integrity\">referential integrity<\/a> is a property of arbitrary data structures (e.g. an object in OOP, a table in a relational database) meaning that all references to other data structures are vaild. In the context of a directory server it means that an update on one entry in the DIT is correctly reflected in all other entries that reference it.<br \/>\nThis is most commonly an issue when removing a user or a group. When a user that&#8217;s a member of any group is removed, all corresponding <code>member<\/code> attributes of the groups need to be updated as well. Managing this manually would be a nightmare, of course, so thankfully there&#8217;s a referential integrity plugin available that takes care of this:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ndsconf localhost plugin referential-integrity enable\r\ndsctl localhost restart\r\n<\/pre>\n<p>That&#8217;s it regarding plugins. There are <a href=\"https:\/\/access.redhat.com\/documentation\/en-us\/red_hat_directory_server\/11\/html-single\/administration_guide\/index#listing_the_available_plug-ins\">many more<\/a> very useful ones available but these should cover the basics. The <a href=\"https:\/\/possiblelossofprecision.net\/?p=2570\">next part<\/a> is going to look into ACLs.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In part 1 we&#8217;ve looked at how to install 389 Directory Server and create an instance. While this left us with a fully working LDAP server there are some plugins that greatly increase quality of life and might even be considered essential.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[84,13,7,83],"class_list":["post-2534","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-389ds","tag-centos","tag-fedora","tag-ldap"],"_links":{"self":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/2534","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2534"}],"version-history":[{"count":45,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/2534\/revisions"}],"predecessor-version":[{"id":2745,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/2534\/revisions\/2745"}],"wp:attachment":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2534"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2534"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2534"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}