Enhancement #593
closedPAM LDAP Rework
100%
Description
Most hosts are using nslcd to handle LDAP cache and authentication/authorization filters. It proved to be a better system and I wanted to use it everywhere but Elwing and Orfeo had services in need of special authorization filters and still use nss-ldap+pam-ldap+unscd.
Example of the minbif PAM config with pam_ldap_minbif.conf
containing specific LDAP filters:
auth requisite pam_ldap.so config=/etc/pam_ldap_minbif.conf account requisite pam_ldap.so config=/etc/pam_ldap_minbif.conf session optional pam_ldap.so config=/etc/pam_ldap_minbif.conf password requisite pam_ldap.so config=/etc/pam_ldap_minbif.conf use_authtok
With nslcd's pam_authz_search
it is now possible to mix various variables and couple host+service names like this:
pam_authz_search (&(objectClass=shellUser)(uid=$username)(|(allowedServices=$fqdn--$service)(allowedServices=$service)))
The goal is to improve the LDAP config to use these new values into allowedServices
instead and switch to nslcd. Then we can cleanup the whole config and distribute it via Ansible.
Also changes in the PAM common files introduced problems (see #349), which may open unwanted accesses, so this would also fix these problem as we would get back to pam-auth-update
management, as intended by the Debian package maintainers.