lists.arthurdejong.org
RSS feed

Re: How to configure for delegated authentication

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: How to configure for delegated authentication



On Tue, 2011-10-04 at 17:22 -0400, Jeff Mitchell wrote:
> 1) The best way for me to do this would be to perform what's often
> called "delegated authentication" against LDAP. Instead of going to LDAP
> to look up the user credentials, I need to test the given user
> credentials by doing a bind against LDAP with those given credentials
> (or even better, with a given binddn/bindpw but then do a rebind, I
> think it's called, with the given user credentials -- it's what many web
> apps do).

This should be what nslcd does. It does anonymous bind by default (use
binddn/bindpw for non-anonymous bind) to find the user and after that
tries to bind the with the user's credentials. nslcd doesn't do password
validation itself.

> 2) I would need to return a particular shell for the user in order to
> continue with the git functionality. From the earlier nss_ldap I should
> have been able to use the nss_override_attribute_value command, but from
> the current sources it looks like that's been removed...?

nslcd.conf has the map option which implements the
nss_override_attribute_value feature like so:
  map passwd loginShell "/bin/bash"
The loginShell attribute will no longer be requested from LDAP but
returned the same for all users. See the nslcd.conf manual page for more
complex values that you can supply for attribute mapping.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/