0

i'm having a largish user-base (>>1000) which should be able to collectively use some sharing service.

the user base is slowly but constantly changing.

esp. we are not interested in privilege separation (all users are equal), so from a privilege pov they can share a single account. however, for security reasons we cannot use shared credentials. luckily all users have their own username/password available via LDAP.

so we have implemented a login server (ssh on Debian), where people are authenticated via PAM and OpenLDAP.

now the LDAP-server is not providing much information, only a username and the ability to authenticate. esp, it lacks a objectClass: posixAccount and accompanying attributes

  • uidNumber
  • gidNumber
  • loginShell
  • homeDirectory

my access to the LDAP-server is very limited (esp, i cannot ask for those or any other attributes to be added), basically it only allows me to authenticate the users.

now the good news is, that i don't care very much if all users have the same values for those attributes.

so I ended up implementing a proxy-ldap server that uses a translucent overlay to add the missing attributes. the overlay data is generated via a script that creates a stripped down LDIF-file from the upstream LDAP-data, which is then used to populate the translucent database.

this works OK, but i don't like it from a maintainability POV: because the user-base is changing, I need to regularly update the database manually (it's changing seldom enough - every few months - so it is not much work but it is also easy to forget).

because the overlay-data is so trivial (it's the same attributes/values for all objects), i think there must be a better way. ideally i would like to have an overlay, that would add those attributes to all objects (matching a given searchterm).

to complicate things a little bit, we also authenticate another user-base against another LDAP-server that does provide posixAccount-data; users of this group should of course not be affected by all the overlay magic needed for the other group; which i think rules out any magic done on the PAM side.

umläute
  • 499
  • 1
  • 7
  • 26

1 Answers1

1

Original Suggestion:

I'd suggest using the nss-pam-ldapd package and use an nslcd mapping to provide default values for user accounts when no value comes from ldap.

According to the documentation for nslcd.conf the uid/gid can be derived too:

The uidNumber and gidNumber attributes in the passwd and group maps may be mapped to the objectSid followed by the domain SID to derive numeric user and group ids from the SID (e.g. objectSid:S-1-5-21-3623811015-3361044348-30300820).

Option #2a:

So based on what you've mentioned, it seems like you'll need to keep the mirror of the directory.

Could you simply update the script you have so it works non-destructively (i.e. only adds accounts/attributes it doesn't find locally) and have it run once a day via cron?

Option #2b

A variation on this would be if you could setup native 1-way LDAP replication (from the upstream directory into your local directory) and then use either the overlay, or a script (which in turn does a local ldapmodify) triggered by events in a log, to provide the missing attributes?

Stephen
  • 315
  • 1
  • 5
  • almost; it seems that there is no way to do expression-based attribute mapping for `uidNumber` - is there a way around this? – umläute Feb 09 '16 at 21:03
  • I've updated the answer with information about uid/gid specifically – Stephen Feb 10 '16 at 03:35
  • right, i've seen that; but unfortunately it doesn't help me (the object's are *not* of `sambaSamAccount` class either; basically they are only of `inetOrgPerson`) – umläute Feb 10 '16 at 08:59
  • i've added a couple of options you could try. – Stephen Feb 10 '16 at 09:18