DuckCorp » DuckCorp Infrastructure

Most hosts are using nslcd to handle LDAP cache and authentication/authorization filters. It proved to be a better system and I wanted to use it everywhere but Elwing and Orfeo had services in need of special authorization filters and still use nss-ldap+pam-ldap+unscd.

Example of the minbif PAM config with pam_ldap_minbif.conf containing specific LDAP filters:

auth            requisite       pam_ldap.so config=/etc/pam_ldap_minbif.conf
account         requisite       pam_ldap.so config=/etc/pam_ldap_minbif.conf
session         optional        pam_ldap.so config=/etc/pam_ldap_minbif.conf
password        requisite       pam_ldap.so config=/etc/pam_ldap_minbif.conf use_authtok

With nslcd's pam_authz_search it is now possible to mix various variables and couple host+service names like this:

pam_authz_search (&(objectClass=shellUser)(uid=$username)(|(allowedServices=$fqdn--$service)(allowedServices=$service)))

The goal is to improve the LDAP config to use these new values into allowedServices instead and switch to nslcd. Then we can cleanup the whole config and distribute it via Ansible.

Also changes in the PAM common files introduced problems (see #349), which may open unwanted accesses, so this would also fix these problem as we would get back to pam-auth-update management, as intended by the Debian package maintainers.