Re: [nssldap] Looking up users via username _or_ other attribute?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] Looking up users via username _or_ other attribute?
- From: Erik Forsberg <forsberg%2Bnssldap [at] cendio.se>
- To: Matthew Hardin <mhardin [at] symas.com>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] Looking up users via username _or_ other attribute?
- Date: Wed, 13 Feb 2008 14:35:15 +0100
On Sat, 19 Jan 2008 11:13:38 -0700
Matthew Hardin <mhardin@symas.com> wrote:
> Hi Erik,
Hi, and thanks for your reply. Sorry about my delay in replying, got a
lot of other projects going on.
> Although possible, it is considered poor security design to rely on
> the NSS subsystem for user authentication, as this mandates hashed
> passwords stored in LDAP using the weak 'crypt' format. There are a
> number of other deficiencies in this design that are outside the
> scope of this discussion. Suffice it to say that you should use
> nss_ldap in the way it does best: returning tabular information from
> a datastore for tasks such as translating between textual and numeric
> user ids. This would meet your goal of 'keeping the real username in
> the environment'.
Well, I do not want to use the crypted passwords stored in LDAP - what
I want is to map one kind of username into another kind of username at
login.
The reason for this is that I want to login with a public ssh key, but
on the client side, I only know a certificate subject on the form
C=SE,CN=My Name,GN=Some other Name/serialNumber=YYYYMMDDNNNN, not the
username. On the server side, I can, via LDAP, map the certificate
subject into a username.
Unfortunately, it seems like openssh is not built to support this
function - it makes a getpwnam on the username sent by the ssh client,
which will fail. I guess the correct way of doing this is to try to
authenticate via PAM first, then extract PAM_USER from the PAM library
and use that to find out where the user's home directory etc. resides.
Another way of getting the same result would be to make nss_ldap find
the user for us by configuring it to find a user entry based on a
configurable filter, not based on a fixed filter that only checks one
attribute.
> As currently written, the configuration file format for pam_ldap
> (usually /etc/ldap.conf) allows you to choose one attribute for
> pam_ldap to use in looking up a user. That being said, individual
> services in the PAM configuration file (/etc/pam.conf) can specify
> different pam_ldap configuration files,
Oh, this is news to me - where can I find out the exact syntax? I don't
think it solves this problem, but it would be interesting to know. Can
I also specify different nss_ldap configuration files, that way
fetching usernames from several LDAP servers, or from the same LDAP
server but with different configuration?
nss_ldap(5) on a Fedora Core 7 says:
nss_ldap stores its configuration in the ldap.conf file, the
location of which is configurable at compile time.
Regards,
\EF
--
Erik Forsberg OpenSource-based Thin Client Technology
Systems Analyst/Developer Phone: +46-13-21 46 00
Cendio AB Web: http://www.cendio.com