search

glauth / glauth

A lightweight LDAP server for development, home use, or CI
MIT License
2.47k stars 218 forks source link

stacking PAM plugin #442

Open maxilee opened 5 days ago

maxilee commented 5 days ago

Hi. after getting PAM plugin to work i'm going further. I'm trying to stack backends config - to extend information from PAM plugin against about email, ssh keys and maybe OTP.

I've based my config on sample-ldap-injection.cfg but no matter how I change config - additional LDAP fields doesn't appear on search result :(

my current config : user "test1" exist in /etc/passwd

[ldap]
  enabled = true
  listen = "0.0.0.0:3894"
  nameformat = "uid"
  groupformat = "ou"
  sshkeyattr = "sshPublicKey"

[[backends]]
  datastore = "plugin"
  plugin = "/root/glauth/v2/bin/linuxamd64/pam_linux.so"
  pluginhandler = "NewPamHandler"
  baseDN = "dc=glauth,dc=com"
  groupWithSearchCapability = "adm"
  nameformat = "uid"
  groupformat = "ou"
  sshkeyattr = "sshPublicKey"

[[backends]]
  datastore = "config"
  baseDN = "dc=glauth,dc=com"
  nameformat = "uid"
  groupformat = "ou"

[[users]]
  name = "test1"
  passsha256 = "6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a" # dogood
  sshPublicKey = ["ssh-rsa ... +txSuhw== rsa-key"]
  passappsha256 = [
    "c32255dbf6fd6b64883ec8801f793bccfa2a860f2b1ae1315cd95cdac1338efa", # TestAppPw1
    "c9853d5f2599e90497e9f8cc671bd2022b0fb5d1bd7cfff92f079e8f8f02b8d3", # TestAppPw2
    "4939efa7c87095dacb5e7e8b8cfb3a660fa1f5edcc9108f6d7ec20ea4d6b3a88", # TestAppPw3
  ]
  mail = "test1@domain.com"

output of search :


[xxx@glauth-test ~]# ldapsearch -x -w test1 -H ldap://127.0.0.1:3894 -D "uid=test1,dc=glauth,dc=com" -b "dc=glauth,dc=com" cn=test1
# extended LDIF
#
# LDAPv3
# base <dc=glauth,dc=com> with scope subtree
# filter: cn=test1
# requesting: ALL
#

# test1, groups, glauth.com
dn: ou=test1,ou=groups,dc=glauth,dc=com
cn: test1
uid: test1
description: test1
gidNumber: 1001
objectClass: posixGroup

# test1, test1, users, glauth.com
dn: uid=test1,ou=test1,ou=users,dc=glauth,dc=com
cn: test1
uid: test1
ou: test1
uidNumber: 1001
accountStatus: active
objectClass: posixAccount
description: test1
gecos: test1
gidNumber: 1001
givenName: test1
displayName: test1
homeDirectory: /home/test1
memberOf: ou=test1,ou=groups,dc=glauth,dc=com
memberOf: ou=adm,ou=groups,dc=glauth,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

or maybe I've misunderstood stacking feature :(

Fusion commented 4 days ago

You know, the stacking feature works but has lots of limitations. I am not surprised that it's not working for your use case. But you're also not the first person asking for this, so I am going to add that to our todo list.

maxilee commented 4 days ago

Hi. I was also trying to do it another way. I've runned two instances of glauth : 1st - to provide info from PAM 2nd - to stack , to provide additional LDAP fields ( sshkeys etc ) to users fetched from 1st instance

but this approach also failed :(

I've tried to find this limitation which you have mentioned in source code but I can't find code which is responsible for that. maybe if me or other people which you have mention will knows about this limitations then we will know them and will not try to do something which impossible right now.

br mark