Enhancement #593
closedPAM LDAP Rework
100%
Description
Most hosts are using nslcd to handle LDAP cache and authentication/authorization filters. It proved to be a better system and I wanted to use it everywhere but Elwing and Orfeo had services in need of special authorization filters and still use nss-ldap+pam-ldap+unscd.
Example of the minbif PAM config with pam_ldap_minbif.conf
containing specific LDAP filters:
auth requisite pam_ldap.so config=/etc/pam_ldap_minbif.conf account requisite pam_ldap.so config=/etc/pam_ldap_minbif.conf session optional pam_ldap.so config=/etc/pam_ldap_minbif.conf password requisite pam_ldap.so config=/etc/pam_ldap_minbif.conf use_authtok
With nslcd's pam_authz_search
it is now possible to mix various variables and couple host+service names like this:
pam_authz_search (&(objectClass=shellUser)(uid=$username)(|(allowedServices=$fqdn--$service)(allowedServices=$service)))
The goal is to improve the LDAP config to use these new values into allowedServices
instead and switch to nslcd. Then we can cleanup the whole config and distribute it via Ansible.
Also changes in the PAM common files introduced problems (see #349), which may open unwanted accesses, so this would also fix these problem as we would get back to pam-auth-update
management, as intended by the Debian package maintainers.
Updated by Marc Dequènes over 6 years ago
- Priority changed from Normal to Urgent
Updated by Marc Dequènes over 6 years ago
- Related to Bug #349: pam-auth-update activated LDAP in common non-ldap configurations added
Updated by Marc Dequènes over 6 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 60
The changes in the `dc-ldap` role are done. Orfeo and Elwing are now using nslcd. The PAM config is cleaned up on all hosts.
Now I need to polish the config and deploy the shell servers tools and configs with Ansible.
Updated by Marc Dequènes over 6 years ago
- % Done changed from 60 to 70
- Branch changed from pam_ldap_rework to pam_ldap_rework2
Properly separated login and SSH aspects.
Filtering on objectClass=shellUser
was fine on machine with only shell in mind, but now it is blocking non-shell users from accessing other services. Working on fixing this.
Updated by Marc Dequènes over 6 years ago
- Status changed from In Progress to Resolved
- % Done changed from 70 to 100
This is now automated and the authz config is fixed.
The old `host` field is now unused.