Re: Group membership filters with mutiple uids
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Group membership filters with mutiple uids
- From: Dustin Wenz <dustinwenz [at] ebureau.com>
- To: Arthur de Jong <arthur [at] arthurdejong.org>
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Group membership filters with mutiple uids
- Date: Mon, 4 Apr 2016 16:54:28 -0500
Thanks, Arthur!
I'll check into pam_group to see if it offers a way to make ssh authentication
work for alternate uids. Any ideas about what may have been different about
nss_ldap that would have permitted it work in the past?
Alternatively, in addition to assigned numeric IDs for each ldap account, we
also assign a GeneratedUID value (which is a UUID) to each user. So, instead of
searching group membership by the member name (uid), I can also search group
membership by GUIDs (we call the field 'GroupMembers'). Is there any way to use
these keys to relate users to groups instead of searching by uid?
- .Dustin
> On Apr 3, 2016, at 12:42 PM, Arthur de Jong <arthur@arthurdejong.org> wrote:
>
> On Fri, 2016-04-01 at 16:49 -0500, Dustin Wenz wrote:
>> For example, an ldap user like me might have both "dustinwenz" and
>> "dustin" uids, but only the first uid is listed as members of groups
>> on the directory server. So, when I login as "dustin", nslcd looks
>> for "&(objectClass=posixGroup)(|(memberUid=dustin)" and never finds
>> my group membership (thus rejecting my ssh connection).
>>
>> If I remove all group restrictions for ssh, I can successfully login
>> as my short uid, and nslcd is then smart enough to translate that
>> short name to the primary "dustinwenz". I can see this in the debug
>> messages: username changed from "dustin" to "dustinwenz".
>>
>> Is there any for nslcd to perform that username switch prior to
>> searching for group membership?
>
> I'm afraid this is tricky. The PAM stack has a function for changing
> the username (that is related to the message you're seeing) but the
> problem is that most applications (and PAM modules) perform name
> lookups before calling PAM (this uses NSS). This is what SSH does to
> perform a number of access control checks before calling PAM.
>
> You maybe could use pam_group to do the checks instead of doing them in
> SSH but I'm not sure that this provides all the features you need.
>
> In honesty I haven't seen a very good use case for the changing
> username step in PAM. I generally recommend avoiding sharing numeric
> userids across users.
>
> --
> -- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
>
> --
> To unsubscribe send an email to
> nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
> http://lists.arthurdejong.org/nss-pam-ldapd-users/
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
