Re: question about user authentication and authorization in nss-ldapd -> nslcd -> slapd

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Fri, 2011-12-16 at 18:46 +0800, Liu Yubao wrote:
> Recently I'm playing nss-ldapd + nslcd + slapd + kerberos to implement
> SSO, I'm confused about the authentication and authorization parts.
> 
> (1) user process calls nslcd by nss-ldapd library,  nslcd knows uid
> and gid from the UNIX domain socket; (I guess there is no GSSAPI
> authentication between user process and nslcd)

That is correct, nslcd doesn't do any checking of the client for
handling requests with the exception of shadow lookups and password
change operation in which case the caller should be root.

> (2) nslcd authenticates to slapd by GSSAPI, nslcd thinks the client is
> nslcd's Kerberos principal, such as "host/HOSTNAME@REALM".

Probably correct but I don't know that much about Kerberos.

> a.  slapd can't authenticate users directly by GSSAPI, so slapd can't
> limit authorization based on users' Kerberos principal names, right?
> /etc/nslcd.conf can specify authzid for nslcd, but that's fixed, can't
> change according to requesting user.

This is correct. Most databases are expected to be the same for all
users (compare to /etc/passwd). If you use caching (nscd) even nslcd
cannot find out the user requesting the information (probably one of the
reasons that shadow lookups aren't cached).

> b. I heard there is a rebind on nslcd to slapd, I setup userA on
> kerberos and slapd (uid=userA,ou=People,dc=example,dc=com) , then I
> run "kinit" as userA, then "getent passwd", but I don't see nslcd
> tries to rebind as userA. why?

nslcd does all normal lookups with one configuration (caller information
is not used). Perhaps it is possible to do something like this using
PADL's nss_ldap though but I'm not sure.

If you let nslcd perform the authentication (using the PAM module) it
will bind with the provided credentials.

> c. the uid and gid is provided by nslcd to slapd,  how can slapd to
> avoid malicious nslcd to provide "uid=0,gid=0" to slapd for a normal
> user?

I don't fully understand what you mean. nslcd can perform some extra
filtering of the results it received from the LDAP server with the
nss_min_uid option and minimum_uid for the PAM module. nslcd doesn't
perform anything on the LDAP server that you couldn't do with ldapsearch
(all nslcd's secrets should be in nslcd.conf) so it should be safe.

> d. I only installed nss-ldapd + nslcd, not pam-ldapd because I already
> have pam-krb5, I find "chsh" complains the user isn't in /etc/passwd,
> seems it doesn't look into slapd, how can I make chsh LDAP-aware?

There is currently no support for chsh (or chfn) because there is no
standard interface for that (not part of PAM or NSS). You could
implement those as small applications that off-load the request to nslcd
and implement it there though but that is currently not implemented.

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/