PAM LDAP Rework
Most hosts are using nslcd to handle LDAP cache and authentication/authorization filters. It proved to be a better system and I wanted to use it everywhere but Elwing and Orfeo had services in need of special authorization filters and still use nss-ldap+pam-ldap+unscd.
Example of the minbif PAM config with
pam_ldap_minbif.conf containing specific LDAP filters:
auth requisite pam_ldap.so config=/etc/pam_ldap_minbif.conf account requisite pam_ldap.so config=/etc/pam_ldap_minbif.conf session optional pam_ldap.so config=/etc/pam_ldap_minbif.conf password requisite pam_ldap.so config=/etc/pam_ldap_minbif.conf use_authtok
pam_authz_search it is now possible to mix various variables and couple host+service names like this:
The goal is to improve the LDAP config to use these new values into
allowedServices instead and switch to nslcd. Then we can cleanup the whole config and distribute it via Ansible.
Also changes in the PAM common files introduced problems (see #349), which may open unwanted accesses, so this would also fix these problem as we would get back to
pam-auth-update management, as intended by the Debian package maintainers.
#4 Updated by Marc Dequènes over 1 year ago
- Status changed from New to In Progress
- % Done changed from 0 to 60
The changes in the `dc-ldap` role are done. Orfeo and Elwing are now using nslcd. The PAM config is cleaned up on all hosts.
Now I need to polish the config and deploy the shell servers tools and configs with Ansible.
#5 Updated by Marc Dequènes over 1 year ago
- % Done changed from 60 to 70
- Branch changed from pam_ldap_rework to pam_ldap_rework2
Properly separated login and SSH aspects.
objectClass=shellUser was fine on machine with only shell in mind, but now it is blocking non-shell users from accessing other services. Working on fixing this.