Re: [nssldap] Looking up users via username _or_ other attribute?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Erik Forsberg <forsberg%2Bnssldap [at] cendio.se>
To: Matthew Hardin <mhardin [at] symas.com>
Cc: nssldap [at] padl.com
Subject: Re: [nssldap] Looking up users via username _or_ other attribute?
Date: Wed, 13 Feb 2008 14:35:15 +0100

On Sat, 19 Jan 2008 11:13:38 -0700
Matthew Hardin <mhardin@symas.com> wrote:

> Hi Erik,

Hi, and thanks for your reply. Sorry about my delay in replying, got a
lot of other projects going on.

> Although possible, it is considered poor security design to rely on
> the NSS subsystem for user authentication, as this mandates hashed
> passwords stored in LDAP using the weak 'crypt' format. There are a
> number of other deficiencies in this design that are outside the
> scope of this discussion. Suffice it to say that you should use
> nss_ldap in the way it does best: returning tabular information from
> a datastore for tasks such as translating between textual and numeric
> user ids. This would meet your goal of 'keeping the real username in
> the environment'.

Well, I do not want to use the crypted passwords stored in LDAP - what
I want is to map one kind of username into another kind of username at
login.

The reason for this is that I want to login with a public ssh key, but
on the client side, I only know a certificate subject on the form
C=SE,CN=My Name,GN=Some other Name/serialNumber=YYYYMMDDNNNN, not the
username. On the server side, I can, via LDAP, map the certificate
subject into a username.

Unfortunately, it seems like openssh is not built to support this
function - it makes a getpwnam on the username sent by the ssh client,
which will fail. I guess the correct way of doing this is to try to
authenticate via PAM first, then extract PAM_USER from the PAM library
and use that to find out where the user's home directory etc. resides.

Another way of getting the same result would be to make nss_ldap find
the user for us by configuring it to find a user entry based on a
configurable filter, not based on a fixed filter that only checks one
attribute. 

> As currently written, the configuration file format for pam_ldap 
> (usually /etc/ldap.conf) allows you to choose one attribute for
> pam_ldap to use in looking up a user. That being said, individual
> services in the PAM configuration file (/etc/pam.conf) can specify
> different pam_ldap configuration files,

Oh, this is news to me - where can I find out the exact syntax? I don't
think it solves this problem, but it would be interesting to know. Can
I also specify different nss_ldap configuration files, that way
fetching usernames from several LDAP servers, or from the same LDAP
server but with different configuration? 

nss_ldap(5) on a Fedora Core 7 says:

       nss_ldap  stores  its configuration in the ldap.conf file, the
location of which is configurable at compile time.

Regards,
\EF
-- 
Erik Forsberg                OpenSource-based Thin Client Technology
Systems Analyst/Developer    Phone: +46-13-21 46 00    
Cendio AB                    Web: http://www.cendio.com

[nssldap] Looking up users via username _or_ other attribute?, Erik Forsberg
- Re: [nssldap] Looking up users via username _or_ other attribute?, Matthew Hardin
  - Re: [nssldap] Looking up users via username _or_ other attribute?, Erik Forsberg

Prev by Date: [nssldap] release 0.6 of nss-ldapd
Next by Date: [nssldap] restricting users to certain hosts?
Previous by thread: Re: [nssldap] Looking up users via username _or_ other attribute?
Next by thread: [nssldap] nss_ldap under Solaris 10