• Serving Up /etc/passwd & Friends Through LDAP

    From Lawrence D'Oliveiro@21:1/5 to All on Sun May 26 21:52:41 2024
    OpenLDAP comes with a “slapd-passwd” backend that serves up the
    information in the system /etc/passwd file through LDAP. However, it
    is extremely limited: it doesn’t include /etc/group, or the actual
    password information in /etc/shadow, so it can’t be used for much more
    than “demonstration purposes only”, as per the man page.

    So I wrote a better backend, which serves up all this user/group
    information through LDAP <https://bitbucket.org/ldo17/serve_passwd>.
    The conversion is modelled on the “migrationtools” package <https://gitlab.com/future-ad-laboratory/migrationtools>, so it should
    be similarly useful, except it is “live”: changes to those files will
    be served up as they happen.

    The backend itself needs to run as root, so it can read /etc/shadow.
    Access to the information from this file is controlled by specifying a
    special base DN: only clients authenticating via DNs with this suffix
    will be shown the shadow information (or can use it for searching).
    All clients are able to see the contents of /etc/passwd and
    /etc/group.

    Access to all of /etc/{passwd,group,shadow} is readonly for now. Maybe
    I might feel brave enough to offer write access in the future.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Lawrence D'Oliveiro@21:1/5 to All on Sat Jun 22 03:31:47 2024
    On Sun, 26 May 2024 21:52:41 -0000 (UTC), I wrote:

    So I wrote a better backend, which serves up all this user/group
    information through LDAP <https://bitbucket.org/ldo17/serve_passwd>.

    I have added a new feature, the option to serve up the contents of
    /etc/shells. This is sometimes used to control user access to various
    services, but there seems to be no LDAP-standard way of serving it up. So
    I bodged something together, in the form of a special posixAccount record
    with a distinctive DN and a multivalued loginShell attribute.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)