Older blog entries for lukeh (starting at number 30)

I've had a bit of a cold this weekend, which provided ample opportunity to do some coding (as I didn't feel too guilty about not practising or going out).

On the PADL front, I've added support for template users to pam_ldap. I'm not sure whether this works yet, though :-) Template users are a (as far as I know) FreeBSD practice where the PAM host application refetches the username from PAM after calling pam_authenticate(). This lets the module change the username under the application's nose, which is ideal for ISP applications; for example, a user might logon as lukeh@padl.com, and be mapped to the template user nobody. pam_ldap will either map users to a default template user, or read the template user from an attribute in the user's entry. (Both of these are configurable.) You might stack pam_ldap and pam_ntdom, setting pam_login_attribute in /etc/ldap.conf to userPrincipalName, and pam_template_login_attribute to sAMAccountName; then, you could login as lukeh@padl.com; pam_ldap will search for (userPrincipalName=lukeh@padl.com), and then set the username to the value of the sAMAccountName attribute in the resulting entry (eg. lukeh). pam_ntdom would then retrieve the username from PAM, and do an NT domain authentication against "lukeh". Finally, login would retrieve the username from PAM, and call getpwnam("lukeh"). YMMV, this code is experimental! Code, as usual, is at ftp.padl.com.

My friend Joshua Reich has been working on some interesting LDAP-related projects which I hope to help him with. Check out his homepage at www.i2pi.com. Josh is one of the DataServe clan.

On the Darwin front, I've done a little bit more work on the PAM port, not much though, I'm waiting on getting MacOS X up and running first. A bit hard without any PPC hardware to speak of; still, Rhapsody DR2 is quite a nice Intel Unix! Also looked at adding support for reentrant name resolution APIs to Darwin, for the moment just those in the Single UNIX Specification (getpwnam_r(), getpwuid_r(), getgrnam_r(), getgrgid_r()). There seem to be some issues with lookupd in getting this working (not architectural issues, it just doesn't work!). You can check these out in the lukeh-SingleUNIXSpecificationV2 branch of Libraries/NeXT/libinfo. You will need a login to access this.

The final, and perhaps more interesting project, has been a NetInfo backend for OpenLDAP. The backend uses Marc Majka's dsstore API, rather than the NetInfo client library. dsstore is a hierarchical database library with an information that's sort of a cross between NetInfo and LDAP. You get the good things about NetInfo: for example, entries' distinguished names are dynamically constructed, rather than being stored with entry; and the good things about LDAP, such as complex queries. The library will either talk directly to the database on disk (and indeed is used as the backend by the MacOS X NetInfo daemon) or to a remote NetInfo database. Anyway, the OpenLDAP backend, back-netinfo, uses this API. It's quite a thin layer: most of the code is spent mapping between slapd data structures, such as filters, and their analogues in dsstore. The trickier code has to do with mapping information models, which could do with some work. For the moment, dsstore meta-attributes are mapped to LDAP attributes with the ;x-meta tag, except for objectClass, which is mapped to the LDAP objectClass attribute. objectClass is also special-cased so that it always contains extensibleObject and top, and so that filters such as (objectClass=*) will succeed even though the NetInfo entry does not contain these attributes. I expect this code will be able to go away once dsstore can deal with schema itself, and slapd lets backends handle their own schema. Attributes which slapd doesn't know about (ie. haven't been defined in a schema anywhere) appear as operational attributes, and are thus not user-modifiable. To make this useful with existing NetInfo deployments, we need to map between well known NetInfo and X.500 attribute types.

Here is an example of searching for a user in NetInfo, and then in LDAP:

% niutil -read . /users/lukeh
name: lukeh
uid: 1002
passwd: *
realname: Luke Howard
gid: 1000
home: /home/lukeh
shell: /bin/tcsh
sn: Howard
modifiersName: NAME=ROOT,OU=PEOPLE
modifyTimestamp: 20000702234549Z
_writers_passwd: lukeh
_writers_change: lukeh
% ldapsearch -LLL -b "ou=People" name=lukeh '*' '+'
dn: name=lukeh,ou=People
name: lukeh
uid: 1002
passwd: *
realname: Luke Howard
gid: 1000
home: /home/lukeh
shell: /bin/tcsh
sn: Howard
modifiersName: NAME=ROOT,OU=PEOPLE
modifyTimestamp: 20000702234549Z
writers_passwd;x-meta: lukeh
writers_change;x-meta: lukeh
objectClass: top
objectClass: extensibleObject
subschemaSubentry: cn=Subschema

I've been working on porting Linux-PAM to Darwin. This has been a lot of fun!

Does anyone know how you change your Advogato.org password?

Joe Little (jlittle) makes some interesting points about LDAP and NetInfo. One of the projects we talked about doing was writing an OpenLDAP backend to NetInfo's database layer, dsstore. I think this would be a useful project as I think NetInfo is easier to configure/manage on a large, distributed network than many LDAP implementations. We should remember (as Microsoft have with Active Directory) that LDAP is just an access protocol, and that there's nothing stopping you building something as elegant as NetInfo using LDAP as the principal access protocol. When most implementations are derived from the same codebase (the University of Michigan code), it becomes difficult for people to separate what the protocol provides from what has historically been provided by implementations of it.

So, given some cycles to burn, one should ask whether it's better to put some time into the OpenLDAP dsstore backend (which would make Apple happy) or instead put the work into OpenLDAP so that it has a similar complement of management and population tools as NetInfo.

pam_ldap-55 includes a patch from Doug Nazar which includes autoconf support amongst other things.

nss_ldap-110 includes a patch from Phillip Liu of LoudCloud to perform asynchronous binds to the LDAP server.

Had a cool dinner last night with a whole lot of LDAP-ish people from Apple, HP, TurboLinux, Netscape, and OpenLDAP. What fun to get everyone in the same place! WWDC wrapped up, learnt a bit about Quartz (Apple's PDF-based imaging model) yesterday.

Been playing with MacOS X. Gotta buy a Mac. Back to Melbourne tomorrow.

Check out the WWDC highlights page!

Yesterday, we found out a bit more about the IP stack in MacOS 9 and MacOS X, specifically IPsec and IPv6. It is interesting (perhaps just inevitable) that there are still bits of MacOS X with a distinctly "MacOS" vs "Rhapsody" flavour... for example, there appear to be directory service abstractions both at the application and OS layer. Then again, it's not like this hasn't happened before (Sun have XFN and NSS). I guess we'll find out in the directory service session later this afternoon.

Today we have the Apple campus beer bash and a reunion lunch of sorts :-)

Is there a copy of On The Road on every San Francisco bookshelf, or have I just a very small sample size?

Well, so far I haven't seen that much of WWDC, but that should change today. Yesterday I checked out the Java on MacOS X seminar, they showed a cool demo of a Swing applet automagically adopting the MacOS X look and feel. The other cool thing is that the place is "wirelessed" for AirPort, so there are people sitting around with the wireless-enabled PowerBooks and iBooks checking their mail and doubtless doing real work. Great idea, particularly given the contention for terminals in the Internet caf (when they opened the doors yesterday, it was like a bunch of schoolkids being let out early...).

Yesterday I met with a fellow Aussie from VA Linux to check out their campus and meet some people (Jeremy Allison, sadly, wasn't in). We then drove up to the city, where Adam had tickets to see The The (but not for me; and I wasn't going to pay the $90 people were scalping them for!). Instead, I hooked up with my former boss from Verve, Inc (formerly Xedoc). It is an indictment of the employment situation here when the first thing one of my friend's colleagues asked upon talking to him on his cellphone was "so, you had dinner with this guy... are we hiring him?".

Stayed in the city, caught the Caltrain up this morning. A few interesting, technical sessions on MacOS X today, plus the Darwin BOF, plus dinner with HP LDAP folk.

Got to WWDC today; the plane (from LA to San Francisco) was delayed of course, and by the time I arrived at SFO, caught the bus to San Jose airport, got a cab to the convention center, etc, I managed to just catch the last half hour of the Open Source presentation. It looked interesting though, and although I am very much jet lagged (having been up for 24 hours) it's exciting. I've never really been to one of these sorts of conferences before, unless you count MacWorld in 1998. Everyone is wearing WWDC badges and Apple T-shirts; it's fun to see some people I haven't seen since I worked at Apple and some other NeXT developers that I hadn't otherwise met... more later, off to see the Apple Masters session now (if I stay awake!).

Tomorrow brings more sessions and BALUG.