[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: MacOS X logins very, very slow or failing with Openldap 2.1.23...



Answering multiple responses here:

Quanah Gibson-Mount wrote:



--On Tuesday, November 25, 2003 3:27 PM -0800 Quanah Gibson-Mount <quanah@stanford.edu> wrote:



--On Tuesday, November 25, 2003 6:15 PM -0500 Everette Gray Allen
<Everette_Allen@ncsu.edu> wrote:

My understanding of posixaccount is
MUST

cn, uid, uidNumber, gidNumber, homeDirectory


I'm quite aware of what cn is. ;)
Did not mean to offend you. I just overstate to obvious to less informed lurkers might understand.

From:

<http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html>


More specifically:

Sec. 99.37  What conditions apply to disclosing directory information?

   (a) An educational agency or institution may disclose directory
information if it has given public notice to parents of students in
attendance and eligible students in attendance at the agency or
institution of:
   (1) The types of personally identifiable information that the agency
or institution has designated as directory information;
   (2) A parent's or eligible student's right to refuse to let the
agency or institution designate any or all of those types of information
about the student as directory information; and
   (3) The period of time within which a parent or eligible student has
to notify the agency or institution in writing that he or she does not
want any or all of those types of information about the student
designated as directory information.
   (b) An educational agency or institution may disclose directory
information about former students without meeting the conditions in
paragraph (a) of this section.


Essentially, if we get such a request, we simply blank out their name to a "'". That fulfills the requirement, and allows us to continue to expose posixAccount.


--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

From this it looks like our folks are being too strict in their analysis. In our world however we do form uids based on a known formula which involves the users initials, part of their last name, and adds a sequential number in case of dups. Still if we did not expose cn then there would be now way to get a name from the id for sure.


Thanks for the pointers!

Essentially, if we get such a request, we simply blank out their name to a "'". That fulfills the requirement, and allows us to continue to expose posixAccount.


We leave the 'cn' alone, but set a flag (FERPA) to True.  This causes the server to return 'cn' (and other personal information) only to the bound user or certain administrative users.  The lack of 'cn' has no effect on Mac OS X's use of posixAccount, nor any other implementation that I have experience with.  I suspect that MUST 'cn' is a bug in the definition of posixAccount -- it doesn't really make sense that it's required.  I can see why 'cn' is MUST for posixGroup.  Does the password file require a name?

:wes

Seems reasonable if you are going to use the same database with more secure access for other purposes. Is the FERPA flag restriction enforced by access rules under slapd or some other mechanism when loading the data into the ldap server?


My testing with OS X indicates that you really do not need cn. I have been able to get by with uid, uidNumber, gidNumber and homeDirectory (tho I did map RealName to uid). Actually if everyone has the same primary gidNumber you might save a query on macos x by using #501 or whatever as a static map. One might also be able to map NFSHome to /Users/$uid$ or the like and really go with only uid and uidNumber exposed but that would also require clever planning ahead of time :-).
--
Everette Gray Allen Systems Programmer II
ITD Computing Services Macintosh Support Specialist
2620 Hillsborough St, Campus Box 7109
Raleigh, NC 27695-7109
919-515-4558 Everette_Allen@ncsu.edu