RSS feed

Re: [nssldap] question about nssldap configuration

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: [nssldap] question about nssldap configuration

> FWIW you can do this out-of-the-box with nss-pam-ldapd (should also be
> in Ubuntu). The relevant config option is:
>  map passwd homeDirectory "${homeDirectory:-/home/$uid}"
> (this uses the homeDirectory attribute if defined and otherwise falls
> back to a generated one)

Thank you, it solved my problem.

>> However I could not change the uid of the users. I tried to do this
>> with 2 methods:
>> a) changes in source code in the same way as the home directory (uid
>> was a hash number based on username)
>> b) Set a default value in /etc/ldap.conf with
>> "nss_default_attribute_value uidNumber 2222" (2222 only for proofs)
> The problem with this is that you have to support two lookups:
>  username -> passwd entry
>  userid -> passwd entry
> If you map the username to a userid using a hash, you should also be
> able to do the lookup in the other direction (reversible function).
> Note that nss-pam-ldapd currently does not support expression-based
> mapping for the uidNumber attribute (you can remap it to another
> attribute though).

>> With this two changes the results are the same: users can not login
>> with ssh. The auth.log:
>> Nov 25 17:56:09 pipo sshd[7701]: Accepted password for Administrador from 
>> 87.218.XXX.XXX port 38913 ssh2
>> Nov 25 17:56:09 pipo sshd[7701]: pam_unix(sshd:session): session opened for 
>> user Administrador by (uid=0)
>> Nov 25 17:56:09 pipo sshd[7701]: fatal: login_get_lastlog: Cannot find 
>> account for uid 2222
> This is exactly the number-to-name lookup that is described above. In
> this case it is a PAM module that is complaining. You may be able to
> work around this by removing pam_unix from SSHD's session, but a lot
> more processes expect to be able to do numeric uid to username lookups.
> Perhaps you could insert a user in /etc/passwd with uid 2222 to work
> around some issues also, but you won't have real user separation on your
> system (all users will be able to interfere with all other users with
> the same uid). This will cause all sorts of weird problems.
> Also, having multiple users with the same numeric userid will probably
> also break all kinds of stuff. For instance, nscd expects usernames and
> userids to be unique.

I used the same 2222 idnumber only for proofs.
I wanted to use a unique uid number, the uidNumber had to be a hash of
the username.

> I don't think there is a stable solution available without storing some
> information in the LDAP server.

I see this can not be done easyly without storing information in the
LDAP server

Thank you again


> --
> -- arthur - - --