Message-ID:

Living your life is a task so difficult, it has never been attempted before.

comp / comp.misc / Re: Serving Up /etc/passwd & Friends Through LDAP

Subject: Serving Up /etc/passwd & Friends Through LDAP
From: Lawrence D'Oliv
Newsgroups: comp.misc
Organization: A noiseless patient Spider
Date: Sun, 26 May 2024 21:52 UTC

Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: ldo@nz.invalid (Lawrence D'Oliveiro)
Newsgroups: comp.misc
Subject: Serving Up /etc/passwd & Friends Through LDAP
Date: Sun, 26 May 2024 21:52:41 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 22
Message-ID: <v30av8$3k5i4$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Sun, 26 May 2024 23:52:41 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="db0859b5b26af429e8495bc3eac00fa9";
logging-data="3806788"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/7yqp5gj9XG76pFHy7NOax"
User-Agent: Pan/0.158 (Avdiivka; )
Cancel-Lock: sha1:JOVsig2KHAoYsydjY/vP3qaYc2o=

View all headers

OpenLDAP comes with a “slapd-passwd” backend that serves up the
information in the system /etc/passwd file through LDAP. However, it
is extremely limited: it doesn’t include /etc/group, or the actual
password information in /etc/shadow, so it can’t be used for much more
than “demonstration purposes only”, as per the man page.

So I wrote a better backend, which serves up all this user/group
information through LDAP <https://bitbucket.org/ldo17/serve_passwd>.
The conversion is modelled on the “migrationtools” package
<https://gitlab.com/future-ad-laboratory/migrationtools>, so it should
be similarly useful, except it is “live”: changes to those files will
be served up as they happen.

The backend itself needs to run as root, so it can read /etc/shadow.
Access to the information from this file is controlled by specifying a
special base DN: only clients authenticating via DNs with this suffix
will be shown the shadow information (or can use it for searching).
All clients are able to see the contents of /etc/passwd and
/etc/group.

Access to all of /etc/{passwd,group,shadow} is readonly for now. Maybe
I might feel brave enough to offer write access in the future.

Subject: Re: Serving Up /etc/passwd & Friends Through LDAP
From: Lawrence D'Oliv
Newsgroups: comp.misc
Organization: A noiseless patient Spider
Date: Sat, 22 Jun 2024 03:31 UTC
References: 1

Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: ldo@nz.invalid (Lawrence D'Oliveiro)
Newsgroups: comp.misc
Subject: Re: Serving Up /etc/passwd & Friends Through LDAP
Date: Sat, 22 Jun 2024 03:31:47 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 10
Message-ID: <v55gj2$3j0mo$1@dont-email.me>
References: <v30av8$3k5i4$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 22 Jun 2024 05:31:47 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="e2ad63ef29eb171d8254bd46738c313e";
logging-data="3769048"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19LsHG0JzsFEkgLBYZKw+u3"
User-Agent: Pan/0.158 (Avdiivka; )
Cancel-Lock: sha1:djfWEsnAxpkJkwh3cLVSKSf3mgo=

View all headers

On Sun, 26 May 2024 21:52:41 -0000 (UTC), I wrote:

> So I wrote a better backend, which serves up all this user/group
> information through LDAP <https://bitbucket.org/ldo17/serve_passwd>.

I have added a new feature, the option to serve up the contents of
/etc/shells. This is sometimes used to control user access to various
services, but there seems to be no LDAP-standard way of serving it up. So
I bodged something together, in the form of a special posixAccount record
with a distinctive DN and a multivalued loginShell attribute.

Subject	Author
Serving Up /etc/passwd & Friends Through LDAP	Lawrence D'Oliveiro
Re: Serving Up /etc/passwd & Friends Through LDAP	Lawrence D'Oliveiro