Date: Sat, 10 Sep 2016 01:56:33 -0400 (EDT) From: Benjamin Kaduk <kaduk@MIT.EDU> To: Garrett Wollman <wollman@bimajority.org> Cc: freebsd-arch@freebsd.org, freebsd-security@freebsd.org Subject: Re: Trying to think out a hack for NSS and pw(8) Message-ID: <alpine.GSO.1.10.1609100153080.5272@multics.mit.edu> In-Reply-To: <22483.5592.653250.726711@hergotha.csail.mit.edu> References: <22483.5592.653250.726711@hergotha.csail.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 9 Sep 2016, Garrett Wollman wrote: > Presently, we have a bunch of machines under configuration management > (using Puppet, but that's not really relevant here). I'm hoping to > implement LDAP via nsswitch on these machines, but I've run into an > issue: the standard getpw*(3) mechanisms can't tell the difference > between users or groups in the local databases and those in the remote > LDAP database. We need Puppet to manage entries for users and groups > in the local database, without respect to what entries might be > imported from LDAP (because they are supposed to override the data > returned by LDAP). Puppet invokes pw(8) to actually perform the > modifications, but I suspect it also uses native code from the Ruby > standard library to actually do pre-modification lookups. > > Looking at the code in both nss-pam-ldapd and libc, it seems like the > only plausible way to fix this is to add functionality to nsswitch > which would allow it to use different configurations depending on the > identity of the process invoking getpwnam(3) or getgrnam(3). Does > anyone have opinions on how this ought to be implemented, or indeed > how it could be implemented securely? It's a bit late here, but it sounds kind of like you want to be able to set NSS_NONLOCAL_IGNORE [and have it do something useful]? (https://debathena.mit.edu/nss_nonlocal/) Unfortunately, I never got far enough in trying to port Athena to FreeBSD to have looked at how portable nss_nonlocal is. But it is probably worth looking at, for your case. -Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.GSO.1.10.1609100153080.5272>