Re: nss_initgroups_ignoreusers ALLLOCAL issue

[Jakub Jindra <skomonster [at] gmail.com>]

Hi Martin,

nscd does only caching name services (passwd,group,dns). The benefit is in lowering traffic from your servers to LDAP and being able to query the name services when LDAP server has outage.

Both methods you mention should work. Creating filter for excluding duplicate users from search even searching only for users with some attributeType.

But as I tried in the past, you can leave duplicate usernames, PAM will accept both. F.e. on the filesystem you can work normally with files no matter if you logged in using LDAP or static user. But the user will have 2 different uidNumbers (one from /etc/passwd, one from LDAP) and so files created by LDAP user will have f.e. owner with numeric id 10000 and files created by system user will be owned by with numeric id 10005. 

There's one more thing you should consider to add to your filter. Maybe not all users should have access to the system.

You can limit it by access to specific users on the server by changing filter "(&(YOURFILTERS)(host=fqdn.exmaple.com))" and set host attribute for users in LDAP directory.

Best, 

JJ

On Tue, May 16, 2017 at 9:22 AM, mh [at] ow2.org <mh [at] ow2.org> wrote:

Hi Arthur,

Thank you for the clarification. I need more :)

Le 15/05/2017 à 19:08, Arthur de Jong a écrit :
> On Mon, 2017-05-15 at 17:59 +0200, mh [at] ow2.org wrote:
>> nss_initgroups_ignoreusers ALLLOCAL isn't about ignoring all locally
>> defined users from the LDAP at all. It's about 'group membership
>> lookups'
>
> Indeed. I was wondering about what the problem was ;_
>
>> My goal was to avoid duplicate username between local and LDAP but it
>> doesn't seem possible to do so.
>
> Having duplicate user names should not be a real problem as long as the
> entry from /etc/passwd matches that from LDAP.

usually the data does't match: the UID/GID in the LDAP is different from
local.

My use case is as follow : I have a set of linux servers with on each of
them a local account - same username every time but not necessarily the
same uid/gid or homedir . On a second hand, I have a ldap server which
already provide authentication for a number of web apps that I have
tweaked to handle posix account objectclasses.

At this point, it appears that I need to authenticate using that LDAP
account with the same username as the local one mentioned above to my
linux boxes.

>
> If you want to filter out certain users you could use the filter
> statement to exclude users from LDAP that match certain criteria. There
> is no way to automatically exclude all locally defined users from LDAP
> lookups (though if you are running nscd in most situations this should
> not be a problem).

I'm not sure to understand what is the role of nscd in this, and why it
should not be a problem ?

However I could use:
filter passwd (!(uid=<dupusername>))(objectClass=posixAccount)

Or I could have that ldap dupusername defined with UID/GID>10000 then
test this in the filter. That would emulate a "group of LDAP users to
ignore".

Any better idea ?

>
> What you want to avoid is having multiple users with different
> information on the system. If you are running nscd both user names and
> numeric user ids are expected to be unique on the system.

unfortunately, this is the case, I have a single username with different
data locally vs LDAP. It seems I have no choice but to build some
filters to avoid that.

Regards,




--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

--

Jakub Jindra

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/