2

I am trying to setup Linux logins for users in an LDAP directory. The directory contains users which have a UID under 1000 and I believe this is causing problems with logins to those accounts as UID under 1000 is reserved on Linux for system use. The LDAP admin does not want to change the UID for all those people because he says it will break many Windows files.

Is there a way to override (or re-map) a specific user's UID coming from LDAP? Either an entry in /etc/ldap.conf using something like nss_override_attribute_value or another way?

Server Fault
  • 3,714
  • 12
  • 54
  • 89
  • I had always though that the UID_MIN value is only used by useradd and similar when new users are created and has no impact on who is allowed to log on? That still leaves a risk of LDAP users having the same low UID of existing system accounts, but YOU can change those. – HBruijn Feb 12 '15 at 14:43
  • You are right! I am mistaken and have updated question. But how to change those UID? I can add a local account for person in LDAP and give them new UID:GID but this is not so great. – Server Fault Feb 12 '15 at 14:47
  • "it will break many Windows files". uh, what? windows doesn't use the uid attribute at all. – longneck Feb 12 '15 at 15:09
  • From what I recall windows servers offering NFS shares can use the Posix uidNumber and gidNumber attributes from AD [1](http://blogs.technet.com/b/filecab/archive/2012/10/09/nfs-identity-mapping-in-windows-server-2012.aspx). A slightly obscure edge case :-) – HBruijn Feb 12 '15 at 15:29

1 Answers1

1

There are no LDAP UID remapping options that I'm aware of, at least on a per user basis. This would be in the documentation for the NSS module and supporting daemon (if applicable).

I understand your aversion to using local /etc/passwd overrides, but even if there were NSS level workarounds for this I'd still say passwd is the right place to do this: it's a well known location for this type of override, compared to something more obscure that is buried in a NSS module configuration file.

To state the obvious: make sure your local databases are specified before LDAP in /etc/nsswitch.conf, which is recommended anyway. You'll see multiple results for that user when you execute getent passwd, but this is expected and the first one wins.

Andrew B
  • 32,588
  • 12
  • 93
  • 131