Re: [nssldap] question about nssldap configuration
[
Date Prev][Date Next]
[
Thread Prev][Thread Next]
Re: [nssldap] question about nssldap configuration
- From: "saraguato [at] gmail.com" <saraguato [at] gmail.com>
- To: Arthur de Jong <arthur [at] arthurdejong.org>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] question about nssldap configuration
- Date: Wed, 1 Dec 2010 13:09:01 +0100
> FWIW you can do this out-of-the-box with nss-pam-ldapd (should also be
> in Ubuntu). The relevant config option is:
>
> map passwd homeDirectory "${homeDirectory:-/home/$uid}"
>
> (this uses the homeDirectory attribute if defined and otherwise falls
> back to a generated one)
Thank you, it solved my problem.
>
>> However I could not change the uid of the users. I tried to do this
>> with 2 methods:
>> a) changes in source code in the same way as the home directory (uid
>> was a hash number based on username)
>> b) Set a default value in /etc/ldap.conf with
>> "nss_default_attribute_value uidNumber 2222" (2222 only for proofs)
>
> The problem with this is that you have to support two lookups:
> username -> passwd entry
> userid -> passwd entry
>
> If you map the username to a userid using a hash, you should also be
> able to do the lookup in the other direction (reversible function).
>
> Note that nss-pam-ldapd currently does not support expression-based
> mapping for the uidNumber attribute (you can remap it to another
> attribute though).
>
>> With this two changes the results are the same: users can not login
>> with ssh. The auth.log:
>> Nov 25 17:56:09 pipo sshd[7701]: Accepted password for Administrador from
>> 87.218.XXX.XXX port 38913 ssh2
>> Nov 25 17:56:09 pipo sshd[7701]: pam_unix(sshd:session): session opened for
>> user Administrador by (uid=0)
>> Nov 25 17:56:09 pipo sshd[7701]: fatal: login_get_lastlog: Cannot find
>> account for uid 2222
>
> This is exactly the number-to-name lookup that is described above. In
> this case it is a PAM module that is complaining. You may be able to
> work around this by removing pam_unix from SSHD's session, but a lot
> more processes expect to be able to do numeric uid to username lookups.
>
> Perhaps you could insert a user in /etc/passwd with uid 2222 to work
> around some issues also, but you won't have real user separation on your
> system (all users will be able to interfere with all other users with
> the same uid). This will cause all sorts of weird problems.
>
> Also, having multiple users with the same numeric userid will probably
> also break all kinds of stuff. For instance, nscd expects usernames and
> userids to be unique.
>
I used the same 2222 idnumber only for proofs.
I wanted to use a unique uid number, the uidNumber had to be a hash of
the username.
> I don't think there is a stable solution available without storing some
> information in the LDAP server.
>
I see this can not be done easyly without storing information in the
LDAP server
Thank you again
cheers
> --
> -- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
>
