Replying to myself, to add something I inadvertently omitted:
I am aware that the /etc/nslcd.conf file, that is used to configure the
interaction with the LDAP server through NSS in Centos, supports an option
(ignorecase) that would enable me to do what I want. The thing is, that option
might be a bit too powerful, in that it will eliminate case-sensitive in
situations where that might not be advisable - hence my question. I am,
however, willing to accept that, in the end, 'ignorecase' may be equivalent to
what I am asking anyway, if that's the way it is.
On Tuesday, August 13, 2019, 09:25:26 AM MDT, JC <lovecraftes...@yahoo.com>
wrote:
I have an OpenLDAP 2.4.42 server in which I have loaded an LDIF file that
contains (among other entries) the following:
# james, staff, yoyodyne.com dn: uid=james,ou=staff,dc=yoyodyne,dc=com
uid: james cn: james objectClass: account objectClass: posixAccount
loginShell: /bin/bash uidNumber: 1010 gidNumber: 100 homeDirectory:
/home/james
Separately, I have a Centos 7 box that retrieves user information from the
OpenLDAP server above, by means of the Name Service Switch framework in the
Centos 7 system. Users to be authenticated in this box may not be defined
locally, but in the OpenLDAP server alone; PAM has been configured in the
Centos system so that, for such users, and when attempting to log in over SSH,
a directory is created in the Centos box on the fly as necessary, using the
path retrieved from the OpenLDAP server in the homeDirectory attribute for the
user. The authentication itself is carried out by a remote RADIUS server; PAM
is correctly configured for this too.
This works fine as described, in that when one attempts to log in over SSH into
the Centos system as james, provided that the right password is supplied, the
'/home/james' directory is created in the Centos system and an interactive SSH
session is established.
What I would be interested in next is an OpenLDAP setup so that the entry for a
given user can be retrieved from the OpenLDAP server in a case-insensitive
manner. The goal is to be able to authenticate username, password pairs over
the SSH interface in the Centos7 system, with the username being
cases-insensitive.
As far as I can tell, in the process of establishing an SSH session, the
OpenSSH daemon in the Centos 7 system will attempt to verify that the username
is valid by invoking the gepwnam() Linux system call. This function will
attempt to retrieve information for its argument - a username string - in a
case-sensitive way. It first looks into the relevant local files and, if
nothing is found and the NSS framework is appropriately configured, it will
next attempt to obtain the data from an LDAP server.
PAM helps me here by providing a PAM module (pam_regex) which enables me to
normalize incoming usernames - in essence, this module makes is easy to recast
all incoming usernames to strings where all uppercase letters are transformed
into their lowercase versions. The problem that I have is that OpenSSH invokes
getpwnam() both before and after the pam_regex module has been invoked. Thus,
if the username received from the client is, say, James, OpenSSH will invoke
getpwnam("James") first, and getpwnam("james") later, after pam_regex has
normalized "James".
The upshot here seems to be that what I would need is an OpenLDAP setup such
that when getpwnam("james") and getpwnam("James") - or any other case
combination of "James" - are invoked, the OpenLDAP server would return the same
user data.
Now it seems to be the case that, with a user entry in OpenLDAP as described
above, getpwnam("james") will look for an entry such that the its uid attribute
takes the value "james". I.e. if the value of uid is, say, "James" then it will
be ignored. Which, following the discussion above, doesn't fit my goal.
I guess that the question would be the following: Is it possible to configure
OpenLDAP so that getpwnam() can retrieve a given entry from the OpenLDAP server
in a case-insensitive way? How would one create an entry for a user identified
as James so that getpwnam("James"), getpwnam("james"), getpwnam("JAMES"), etc.
would all cause the OpenLDAP server to return exactly the same Linux user data
(uidNumber, gidNumber, homeDirectory)? Other than the obvious and impractical
approach consisting of creating identical entries for all the case combinations
of the target name, that is.
