Re: Why does nslcd require LDAP user entry objectClass=posixAccount?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Why does nslcd require LDAP user entry objectClass=posixAccount?
Date: Fri, 10 Apr 2015 09:36:14 +0200

On Thu, 2015-04-09 at 14:15 -0400, Shimin wrote:
> The issue is that we also have a CLI component on Linux boxes and some
> components that  makes use of SSH tunnels into the Linux systems that
> rely on unix  login, sshd, pam_unix, that we have to add LDAP
> authentication support.

If you want to have existing UNIX user accounts use LDAP authentication
a username attribute is only really required. It could be that PADL's
pam_ldap may be a better fit in this scenario than nss-pam-ldapd's PAM
module. Also note Berend's comments about PAM applications assuming the
users are known UNIX users.

If you want users that are defined in LDAP to also exist on the system
(e.g. not already locally present in /etc/passwd) you also, at the very
minimum, need an attribute that contains a (unique) numeric uid. All the
other attributes that are normally used can be built using expressions
on the fly. For example:

filter passwd (objectClass=person)
map passwd uid uid
map passwd uidNumber employeenumber
map passwd gidNumber "1000"
map passwd gecos "${gecos:-$cn}"
map passwd homeDirectory "/home/$uid"
map passwd loginShell "/bin/bash"

The above configuration only uses the uid and employeenumber attributes
and can use the gecos and cn attributes if they are present. You also
need to enable the NSS module in /etc/nsswitch.conf.

Note that in the above configuration employeenumber values are expected
to be numeric, should probably be in the range 1000...65533, be unique
and not conflict with existing values in /etc/passwd because otherwise
things magically break or you can end up with access control problems.

While having duplicate numeric uids (or user names) are known to work in
some situations they are also known to break some applications (e.g.
nscd).

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

RE: Why does nslcd require LDAP user entry objectClass=posixAccount?, (continued)

Prev by Date: RE: Why does nslcd require LDAP user entry objectClass=posixAccount?
Next by Date: Using nss-pam-ldapd in a large environment: Equivalent to 'nss_getgrent_skipmembers yes' to avoid unnecessary lookup flood
Previous by thread: RE: Why does nslcd require LDAP user entry objectClass=posixAccount?
Next by thread: Using nss-pam-ldapd in a large environment: Equivalent to 'nss_getgrent_skipmembers yes' to avoid unnecessary lookup flood