Implement username extraction mechanism using regular expressions #42
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The implemented functionality allows extracting LDAP usernames from usernames supplied to PAM. The regular expression-based mechanism provides a simple but efficient technique to use prefixes and/or suffixes to distinguish local and LDAP users preventing username clashes. For example, there is a local UNIX user account johndoe. The same user has a corporate LDAP account uid=johndoe,cn=users,dc=domain,dc=net. The following configuration allows this user to log in with a local account johndoe - in this case, pam_unix handles the authentication and pam_ldap is skipped on success. At the same time, [email protected] won't be authenticated by pam_unix, so that pam_ldap will extract the username using the regular expression ^(.*)@domain.net$ and try to authenticate johndoe against the LDAP server. Also, in this example, we use Google Authenticator based 2fa authentication for both local and LDAP users. auth [success=1 default=ignore] pam_unix.so auth requisite pam_ldap.so use_first_pass [extract_username=/^(.*)@domain.net$/] auth required pam_google_authenticator.so [authtok_prompt=Enter an authenticator app code.] Configuration options: extract_username=[0..9]/regex_pattern/[i] The first number specifies the regex capturing group to be used for username extraction. In some complex regex expressions with multiple groups, this allows to explicitly specify the group number needed. E.g. 2/^(EXT|EXTERNAL)\\(.*)$/ The number could be omitted, the default value is 1. The optional trailing flag 'i' indicates that the regex match will be case-insensitive. extract_username_required This flag indicates that successful extraction is mandatory to authenticate the user. Otherwise, if extraction fails, pam_ldap will try to authenticate the user with the originally provided username. Signed-off-by: Andriy Sharandakov <[email protected]>
|
Hi @ashway83 Thanks for your patch. I've been reviewing it and it looks like something useful to merge. I was wondering in which scenario's did you test this? Does it also work with e.g. an SSH session? From previous testing with username changes I noticed that if you log in with e.g. In your example, does pam_google_authenticator.so use Does this also work correctly in the authorisation (account) and session phases of PAM as well as when changing passwords? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The implemented functionality allows extracting LDAP usernames from usernames supplied to PAM. The regular expression-based mechanism provides a simple but efficient technique to use prefixes and/or suffixes to distinguish local and LDAP users preventing username clashes.
For example, there is a local UNIX user account
johndoe. The same user has a corporate LDAP accountuid=johndoe,cn=users,dc=domain,dc=net.The following configuration allows this user to log in with a local account johndoe - in this case, pam_unix handles the authentication and pam_ldap is skipped on success. At the same time,
[email protected]won't be authenticated by pam_unix, so that pam_ldap will extract the username using the regular expression^(.*)@domain.net$and try to authenticatejohndoeagainst the LDAP server. Also, in this example, we use Google Authenticator based 2fa authentication for both local and LDAP users.Configuration options:
extract_username=[0..9]/regex_pattern/[i]The first number specifies the regex capturing group to be used for username extraction. In some complex regex expressions with multiple groups, this allows to explicitly specify the group number needed. E.g.
2/^(EXT|EXTERNAL)\\(.*)$/The number could be omitted, the default value is 1.
The optional trailing flag
iindicates that the regex match will be case-insensitive.extract_username_requiredThis flag indicates that successful extraction is mandatory to authenticate the user. Otherwise, if extraction fails, pam_ldap will try to authenticate the user with the originally provided username.
Signed-off-by: Andriy Sharandakov [email protected]