Re: [nssldap] Looking up users via username _or_ other attribute?

[Matthew Hardin <mhardin [at] symas.com>]

Hi Erik,

Erik Forsberg wrote:
> Hi!
>
> Can nss_ldap be configured to search for user entries with a filter that
> looks for the supplied username in multiple attributes? For example,
> when I do 'getent passwd test', I would like nss_ldap to query the LDAP
> server for
> '(&(objectclass=posixAccount)(|(uid=test)(otherAttribute=test)))'
>
>   
The nss subsystem doesn't work quite like that, but reading on, I see 
that you are really asking a different question.
> The reason behind this would be to allow authenticating using a
> mail address, certificate serial number or some other information stored
> in LDAP against openssh's sshd, which runs a
> getpwent(username-sent-over-network) to decide if a user is valid or
> not, while still keeping the real username in the environment. 
>   
> I could set 'nss_map_attribute uid mail', but all users
> would then be listed with that attribute when listing file/process
> ownership. 
You are correct that using nss_map_attribute would not accomplish what 
you want.

Although possible, it is considered poor security design to rely on the 
NSS subsystem for user authentication, as this mandates hashed passwords 
stored in LDAP using the weak 'crypt' format. There are a number of 
other deficiencies in this design that are outside the scope of this 
discussion. Suffice it to say that you should use nss_ldap in the way it 
does best: returning tabular information from a datastore for tasks such 
as translating between textual and numeric user ids. This would meet 
your goal of 'keeping the real username in the environment'.

The PAM subsystem has taken over the authentication functions in most 
modern UNIX- and Linux-based operating systems. In LDAP-based 
authentication the pam_ldap module is used to authenticate users in a 
secure fashion. The most popular pam_ldap module is from PADL, and since 
you're posting here I presume that's the software you're using. This 
module allows you to select an arbitrary attribute to be used in 
determining which user object to use as a basis for authenticating. In 
PADL's pam_ldap module this is the pam_login_attribute parameter in the 
ldap.conf file. Set this parameter to the name of the attribute you want 
to use. For example, set it to 'uid' if you want to authenticate based 
on the contents of the 'uid' attribute in the directory. You could also 
use another attribute, such as one that contained a user's email 
address, social security number, etc.
> Also, it would be nice if I could have some users logging in
> via their mail address, and some via their username.
>   
As currently written, the configuration file format for pam_ldap 
(usually /etc/ldap.conf) allows you to choose one attribute for pam_ldap 
to use in looking up a user. That being said, individual services in the 
PAM configuration file (/etc/pam.conf) can specify different pam_ldap 
configuration files, so it's conceivable that you could come up with a 
pam.conf file the specified different pam_ldap configuration files for 
sshd, telnet, and login. Each of these configuration files could then 
list its own attribute a user would need to use for identifying herself.

You'll need to refer to the man pages for PADL's nss_ldap and pam_ldap 
for additional information, but hopefully this will get you pointed in 
the right direction.
> Regards,
> \EF
>   
Cheers,

-Matt

--

Matthew Hardin
Symas Corporation - The LDAP Guys
http://www.symas.com