Though addressed in the context JES Messaging this post is really about getting Sun’s pam_ldap or pam_unix to do what some might consider correct subtree searches. Read on:
If you’re using JES messaging with hosted domains you have an ldap tree that looks like this:
o=firstdomain.com,o=isp; o=seconddomain.com,o=isp; etc.
so your user DNs look like this: uid=morgan,ou=people,o=firstdomain,o=isp; uid=matt,ou=people,o=seconddomain,o=isp; etc.
Under normal circumstances you would supply a basedn of “o=isp,” a scope of “sub,” and the application would search all of your hosted domains in search of the username.
Sun’s pam_ldap (and I believe pam_unix) prepend “ou=people” before doing a search. So if you specify “o=isp,” pam_ldap will search within “ou=people, o=isp” which either doesn’t exist or is empty.
After searching for a way to specify multiple base dns in the ldap profile (defaultSearchBase is SINGLE-VALUE in objectclass DUAConfigProfile) it turns out there is a straightforward work-around. From the ldapclient(1) man page:
serviceSearchDescriptor
Override the default base DN for LDAP searches for a
given service. The format of the descriptors also
allow overriding the default search scope and search
filter for each service. The syntax of serviceSear-
chDescriptor is defined in the profile IETF draft.
The default value for all services is NULL. This is a
multivalued attribute. In the example,
serviceSearchDescriptor=passwd:ou=people,dc=a1,dc=acme,dc=com?one
the LDAP client would do a one level search in
ou=people,dc=a1,dc=acme,dc=com rather than
ou=people,defaultSearchBase for the passwd service.
So set serviceSearchDescriptor=passwd:o=isp and it will search under o=isp, allowing users in all of your hosted domains to authenticate. Of course this does open you up to problems where uids can conflict.