Hi:
I have a doubt about how OS level authentication against an LDAP server could work, so I hope someone can point me to a solution.
If I have a lot of users in a Linux box with a common prefix in its usernames like these:
- prejvoorhees - premjackson - presjobs - prebgates - pretcruise ... ...
As you can see, all these have the prefix "pre" before it's real username (jvoorhees, mjackson, sjobs, bgates, tcruis, etc...). I also have an OpenLDAP server with a users directory tree whose usernames are the same but without "pre", I mean they are jvoorhees, mjackson, sjobs, bgates, tcruis, etc....
So what I'd like to do if configure my Linux box (ldap client) so it can authenticate against the OpenLDAP server in this way:
- username prebgates authenticates with bgates in LDAP server. - username pretcruise authenticates with tcruise in LDAP server. - username prejvoorhees authenticates with jvoorhees in LDAP server. ... ...
Is this possible to do? Can I make a rule to supress the "pre" prefix before authentication against LDAP? If yes, where should I make this "rule": in the Linux box (ldap client) or in the LDAP Server?
I hope someone has any idea about this topic.
THanks in advance.
Bye
On Thu, 27 Jun 2013, Jason Voorhees wrote:
As you can see, all these have the prefix "pre" before it's real username (jvoorhees, mjackson, sjobs, bgates, tcruis, etc...). I also have an OpenLDAP server with a users directory tree whose usernames are the same but without "pre", I mean they are jvoorhees, mjackson, sjobs, bgates, tcruis, etc.... [...] Is this possible to do? Can I make a rule to supress the "pre" prefix before authentication against LDAP? If yes, where should I make this "rule": in the Linux box (ldap client) or in the LDAP Server?
You might be able to use some slapo-rwm(5) rules to change all "uid=preXXX,..." into "uid=XXX,..." server-side. To my eye this looks sort of evil and might violate the principle of least surprise. In particular, if you're Linux-specific, perhaps you could look into pam_regex which is designed for this sort of use case.
Another possibility might be "splitting the difference," running the slapo-rwm(5) rules inside of a local slapd(8), perhaps accessed via nssov, and keeping an upstream LDAP server without this mess.
I'd suggest you build a test environment, try all your options out and see what sticks...
Thanks a lot, I'll check these ideas and try to test them in a lab environment.
Bye
On Thu, Jun 27, 2013 at 4:09 PM, Aaron Richton richton@nbcs.rutgers.eduwrote:
On Thu, 27 Jun 2013, Jason Voorhees wrote:
As you can see, all these have the prefix "pre" before it's real username
(jvoorhees, mjackson, sjobs, bgates, tcruis, etc...). I also have an OpenLDAP server with a users directory tree whose usernames are the same but without "pre", I mean they are jvoorhees, mjackson, sjobs, bgates, tcruis, etc.... [...]
Is this possible to do? Can I make a rule to supress the "pre" prefix before authentication against LDAP? If yes, where should I make this "rule": in the Linux box (ldap client) or in the LDAP Server?
You might be able to use some slapo-rwm(5) rules to change all "uid=preXXX,..." into "uid=XXX,..." server-side. To my eye this looks sort of evil and might violate the principle of least surprise. In particular, if you're Linux-specific, perhaps you could look into pam_regex which is designed for this sort of use case.
Another possibility might be "splitting the difference," running the slapo-rwm(5) rules inside of a local slapd(8), perhaps accessed via nssov, and keeping an upstream LDAP server without this mess.
I'd suggest you build a test environment, try all your options out and see what sticks...
openldap-technical@openldap.org
-
Aaron Richton -
Jason Voorhees