nss_ldap should support AD-style groups [PSARC/2009/328 FastTrack timeout 06/10/2009]

Gary Winiger gww at sac.sfbay.sun.com
Wed Jun 3 11:08:04 PDT 2009 

This case was never published to psarc-ext.  I'm doing so on behalf
of Nico (the I below) and extending the timer for a week from publication.

Gary..
======
I'm submitting this fasttrack on behalf of Erwin Aitenbichler, an
OpenSolaris contributor.  The release binding is micro/patch (with no
intention to backport).  This case introduces new behavior in
nss_ldap(5) that rises to the level of an interface; this behavior will
be Committed.

BACKGROUND

   Microsoft's Active Directory (AD) can be used as Solaris name service
   repository through nss_ldap(5) by using Windows Identity Management
   for Unix (IDMU) or Service For Unix (SFU) and configuring schema
   mapping on the Solaris native LDAP clients.  This is true on Solaris
   10, Solaris Nevada, and OpenSolaris.

PROBLEM

   AD supports richer group (as in Unix group) semantics than Unix.  For
   example, it supports nested groups.  But nss_ldap(5) does not support
   these semantics.

   Specifically, nss_ldap(5) uses the RFC2307bis+ memberUid attribute of
   group objects to construct a list of all users in a group.  Whereas
   AD uses a different attribute, 'member', containing not UIDs but the
   DNs of members' directory objects (which may be users and groups
   alike).  Also, each group object has a 'memberof' attribute listing the
   groups that the group is a member of.

PROPOSAL

   nss_ldap(5)'s getbynam/getbygid entry points will use the 'member'
   attribute if the memberUid attribute is not present or has an empty
   value for the given group, but the member attribute is present and
   has a non-empty value.  And nss_ldap(5) will expand the list of
   members recursively by searching the directory for each listed member
   and looking up any member group's members.

   nss_ldap(5)'s getbymember entry point will find the user's DN and
   then will query all groups a user is member of using this DN.  For
   each group, the memberof attribute will be chased recursively to
   obtain the full list of groups that the user is a member of directly
   or indirectly.
   
   In both cases loops in group membership will be detected to prevent
   infinite looping.

   No additional configuration is needed to enable this feature.

More information about the opensolaris-arc mailing list