uidNumber: missing, auto increment if doesn't exist already

[Akshay-Hegde]

Is is possible to generate new uidNumber if ldap schema not having uidNumber already ?

Example above 2000+

root@TestServer:/home/akshay# getent passwd noreply

Debug Results

slcd: accepting connections
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [8b4567] DEBUG: connection from  pid=4671 uid=0 gid=0
nslcd: [8b4567] <passwd="noreply"> DEBUG: myldap_search(base="ou=people,dc=example,dc=com", filter="(&(objectClass=zimbraAccount)(zimbraAccountStatus=active)(uid=noreply))")
nslcd: [8b4567] <passwd="noreply"> DEBUG: ldap_initialize(ldap://ldap.example.com:389)
nslcd: [8b4567] <passwd="noreply"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd="noreply"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd="noreply"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd="noreply"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd="noreply"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd="noreply"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd="noreply"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="noreply"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="noreply"> DEBUG: ldap_simple_bind_s("uid=sys,cn=admins,cn=zimbra","***") (uri="ldap://ldap.example.com:389")
nslcd: [8b4567] <passwd="noreply"> DEBUG: ldap_result(): uid=noreply,ou=people,dc=example,dc=com
nslcd: [8b4567] <passwd="noreply"> uid=noreply,ou=people,dc=example,dc=com: uidNumber: missing
nslcd: [8b4567] <passwd="noreply"> DEBUG: ldap_result(): end of results (1 total)

[arthurdejong]

Sadly you cannot auto-generate a numeric uid from LDAP. You can use a different attribute from LDAP if it has a numeric value (possibly in combination with nss_uid_offset).If you are using Active Directory you can use the special objectSid prefix in nslcd.conf to use that attribute to turn it into a numeric uid. I don't immediately see an attribute in the Zimbra schema that would quality (it seems at least that zimbraId is not numeric but a uuid).

The problem with the numeric uid is that it has to be constant and we need to be able to get the value from the LDAP entry as well as be able to search by that attribute.

[quanah]

Zimbra does not have any support for a uidNumber out of the box. Also, the Zimbra LDAP server is meant to be considered a black box and not subject to custom modification (i.e., any custom modifications may break upgrades and will invalidate support).

[Akshay-Hegde]

Thanks for clarification as @quanah said, I am not getting any valid numeric id from zimbra ldap results to generate uidNumber, custom modification is risky.

(possibly in combination with nss_uid_offset) Will you please explain with snippet ?

[Akshay-Hegde]

Receiving below error, in auth.log, probably it's due to missing uidNumber and gidNumber in ldap query results.

Jan 21 12:04:28 ThinServer lightdm: pam_unix(lightdm:auth): check pass; user unknown
Jan 21 12:04:28 ThinServer lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= 
Jan 21 12:04:28 ThinServer lightdm: pam_ldap(lightdm:auth): nslcd authentication; user=akshay
Jan 21 12:04:28 ThinServer lightdm: pam_ldap(lightdm:auth): authentication succeeded
Jan 21 12:04:28 ThinServer lightdm: gkr-pam: error looking up user information
Jan 21 12:04:28 ThinServer lightdm: pam_unix(lightdm:account): could not identify user (from getpwnam(akshay))

[arthurdejong]

Without a numeric uid (uidNumber) the user login will fail because the uid cannot be assigned. The authentication phase succeeds because there only the user name and password are checked.

[Akshay-Hegde]

You're right, I lost hope on LDAP authentication as modifying zimbra may create issues during upgrades. Is there any alternate way to achieve this ? like kind of callback for providing userinfo array (uidNumber, gidNumber for given username) to authentication service, or any local database to refer uidNumber and gidNumber or any text file similar to hit counter which just increment for any new uid found on successful authentication.