I'm trying to setup OpenLDAP server and client on linux (Centos). After searching around a bit, my understanding is gidnumber and uidnumber work like uid and gid on unix, to identify a unique user and group. My question is
is there relationship between these LDAP and linux IDs? should the LDAP ones be the same as a user's uid/gid on linux (if I have such user already on the server host)?
If not, after a client authenticate a user, the user creates a file on the client host, what would the user/group linux ownership of the file looks like?
thanks
Yes, and therefore
Not applicable.
Related
We are in situation, we have deployed openldap. Now we want to use it for number of platforms as single sign on. Issue is that we have 3 platforms like Gitlab, Taiga and Nextcloud. All three platform a person have different username/uid.
Is it possible to create a username and set possible number of uid for that username. For example a user "atest" can also login with "testa"?
Please advice?
I tried to rename usernames in Nextcloud that is impossible officially, so LDAP should have this capability I think.
I am working on a windows machine that is maintained by our IT department. My user account me lives in a domain dom, which leads to my cygwin user name being dom+me. This is inconvenient because my user name is just me on all other machines that I want to talk to with ssh and so on. Is there a way to remove or hide the dom+ part from cygwin?
Some additional details: My cygwin home directory is /home/me, so that part is fine. Whoami replies dom+me, ssh asks for dom+me's password if I do not specify a user name.
ssh can be told to override the default user name by adding the following lines to the file ~/.ssh/config:
Host *
User me
Afterwards, ssh and scp use the default user name me.
BG:I have build samba in redhat linux, and share a folder, then access the share folder from windows.
As the following shows, the connection information can be got via command "smbstatus"
[root#Redhat6 pam.d]# smbstatus
Samba version 3.5.10-125.el6
PID Username Group Machine
-------------------------------------------------------------------
8303 leon domain users win0832mc (::ffff:10.204.176.73)
we can get the user, the group of domain, then how to get the domain information?
Could please you help me on this? thanks.
User name shown by smbstatus is the name of the local user, not the user which connected to the share. The original name might have already been transformed with the help of 'username map' option in smb.conf.
Supposedly, you have one-to-one name mapping between incoming users and local POSIX users. In this case you can use 'wbinfo --uid-to-sid leon' to get Security Identifier (SID) of the user 'leon', and as next step do 'wbinfo --sid-to-fullname sid' to convert SID to fully qualified user name (DOMAIN\user).
I'm use an Debian based OS here on my work an i've configured the service for test routines of ERP app...
This service (Tomcat+Java service) it's consumed via HTTP on intranet correctly...but the test leader sometimes need chance the database used by service application and uses SSH to access my machine to change database on config file and restart the service...eventually this person change some service or O.S. config throwing problems to me (on my O.S and others things..).
What i want know is if can i change my password only for SSH service (doesn't change to my KDE/Gnome session), just because the company's policy requires everyone to have a default password on stations...
Remebering that i'm a manager of config, maintenance and others jobs of service to test team...and change database solicitations can made to me.
A simple example:
KDE login if user 'carlos' and password '123456'
SSH login if user 'carlos' and password '4nyJokeHere'
That it's possible ?
Thanks in advance.
Possible? Maybe. You'd probably have to fiddle with pam.d to get SSH authenticating via a different mechanism to KDE etc.
Coming from a different angle, I may be missing something, can you not create a second user for the SSH process, keeping your main user for KDE etc cleanly separate?
I'd really strongly recommend trying to "split" a user into multiple purposes/security groups with differing passwords for each!
You can use authorized_keys to restrict the SSH commands available, and/or sudo...
Update: Some expansion on the subject as requested by the OP
You can limit commands available via SSH by using ~/.ssh/authorised_keys file - see O'Reilly for a good explanation.
I'm was solved this case applying a single rule here. On SSH service i'm was locked access of my user 'carlos --> sudoers' and enable access only for a user called 'padrao' (padrao translated to english is 'default').
This user 'padrao' doesn't have sudoers permissions. If i needed access with SSH my machine i'm do:
ssh padrao#my.intranet.machine
password: ***
$ su carlos
password: ***
This is not the best way to solve, but solved my problem here.
Thanks.
I have written a simple application to authenticate user using PAM the common way: pam_start(), pam_authenticate() + my own conversation function + pam_end().
If application is run under the user who's credentials are being checked, authentication is succeeded. Otherwise, if application is run from user A to check credentials of user B, the authentication is failed. (
My question: why? As a service name passed to pam_start() I have tried also login as well as passwd. Nothing has changed. Which direction to go to debug the problem? Or possibly I should use another pam service to perform the task?
p.s. user 'A' in the second case is a user with no password and /bin/false shell.
How are you checking the "credentials"? Is it some file being read? Can user A read that file?
Service name passed to pam_start does not affect what the process can do. Note that programs that need to do similar things, like su or passwd are actually setuid programs.
Also, watch out not to create security holes in your application/module by allowing user A to impersonate user B.
User A might not have the permission to read the password file /etc/shadow. This is one reason why credential checking programs usually require root privileges.
So: Does it work for user A and user B if you execute the program with root privileges / as the root user?