Is there any service that will speak LDAP but just respond with the local UNIX users?

Right now I have good management for local UNIX users but every service wants to do its own auth. This means that it is a pain of remembering different passwords, configuring passwords on setting up a new service and whatnot.

I noticed that a lot of services support LDAP auth, but I don’t want to make my UNIX user accounts depend on LDAP for simplicity. So I was wondering if there was some sort of shim that will talk the LDAP protocol but just do authentication against the regular user database (PAM).

The closest I have seen is the services.openldap.declarativeContents NixOS option which I can probably use by transforming my regular UNIX settings into an LDAP config at build time, but I was wondering if there was anything simpler.

(Related note: I really wish that services would let you specify the user via HTTP header, then I could just manage auth at the reverse-proxy without worrying about bugs in the service)

  • BearOfaTime@lemm.ee
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    2 months ago

    What’s wrong with LDAP for users? (I’m trying to think of a negative, and can’t).

    • kevincox@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      Yet another service to maintain. If the server is crashing you can’t log in, so you need backup UNIX users anyways.

        • cybersandwich@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          2 months ago

          Would you mind educating us plebs then? I had a similar question to op, and I can assure you, I definitely don’t understand local auth services the way I probably should.

          • just_another_person@lemmy.world
            link
            fedilink
            English
            arrow-up
            5
            ·
            2 months ago

            Your local auth services are configured to use LDAP as a source, whatever your local auth mechanism is checks credentials, and then you’re auth’d or not. Some distros have easy to use interfaces to configure this, some don’t, but mostly it’s just configuring pam.d (for Linux), and a caching daemon of some sort to keep locally cached copies of the shadow info so you can auth when the LDAP server can’t be contacted (if you’ve previously authenticated once). You can set up many different authentication sources and backends as well, and set their preferences, restrictions, options…etc.

            RHEL/Fedora examples: https://www.redhat.com/sysadmin/pam-authconfig

            Debian examples: https://wiki.debian.org/LDAP/PAM

      • BearOfaTime@lemm.ee
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        1
        ·
        2 months ago

        You need backup local admin accounts, not Backups for each user.

        Which is how enterprise does things. There are local accounts with root access, but the id’s and passwords are tightly controlled.