RSS feed

Re: [nssldap] question about nssldap configuration

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: [nssldap] question about nssldap configuration

On Thu, 2010-11-25 at 18:16 +0100, wrote:
> Yes, I hacked the source code of nss_ldap with successful results, so
> the home directory was based on the username
> (/home/ldap/<user_name>"), but I would have liked to do this without
> compile.

FWIW you can do this out-of-the-box with nss-pam-ldapd (should also be
in Ubuntu). The relevant config option is:

  map passwd homeDirectory "${homeDirectory:-/home/$uid}"

(this uses the homeDirectory attribute if defined and otherwise falls
back to a generated one)

> However I could not change the uid of the users. I tried to do this
> with 2 methods:
> a) changes in source code in the same way as the home directory (uid
> was a hash number based on username)
> b) Set a default value in /etc/ldap.conf with
> "nss_default_attribute_value uidNumber 2222" (2222 only for proofs)

The problem with this is that you have to support two lookups:
  username -> passwd entry
  userid -> passwd entry

If you map the username to a userid using a hash, you should also be
able to do the lookup in the other direction (reversible function).

Note that nss-pam-ldapd currently does not support expression-based
mapping for the uidNumber attribute (you can remap it to another
attribute though).

> With this two changes the results are the same: users can not login
> with ssh. The auth.log:
> Nov 25 17:56:09 pipo sshd[7701]: Accepted password for Administrador from 
> 87.218.XXX.XXX port 38913 ssh2
> Nov 25 17:56:09 pipo sshd[7701]: pam_unix(sshd:session): session opened for 
> user Administrador by (uid=0)
> Nov 25 17:56:09 pipo sshd[7701]: fatal: login_get_lastlog: Cannot find 
> account for uid 2222

This is exactly the number-to-name lookup that is described above. In
this case it is a PAM module that is complaining. You may be able to
work around this by removing pam_unix from SSHD's session, but a lot
more processes expect to be able to do numeric uid to username lookups.

Perhaps you could insert a user in /etc/passwd with uid 2222 to work
around some issues also, but you won't have real user separation on your
system (all users will be able to interfere with all other users with
the same uid). This will cause all sorts of weird problems.

Also, having multiple users with the same numeric userid will probably
also break all kinds of stuff. For instance, nscd expects usernames and
userids to be unique.

I don't think there is a stable solution available without storing some
information in the LDAP server.

-- arthur - - --