From owner-freebsd-arch@freebsd.org Fri Sep 9 20:04:43 2016 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 37ABABD4FBA; Fri, 9 Sep 2016 20:04:43 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DC23DC86; Fri, 9 Sep 2016 20:04:42 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.15.2/8.15.2) with ESMTP id u89K4e1H048508; Fri, 9 Sep 2016 16:04:40 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.15.2/8.14.4/Submit) id u89K4eDu048507; Fri, 9 Sep 2016 16:04:40 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22483.5592.653250.726711@hergotha.csail.mit.edu> Date: Fri, 9 Sep 2016 16:04:40 -0400 From: Garrett Wollman To: freebsd-arch@freebsd.org, freebsd-security@freebsd.org Subject: Trying to think out a hack for NSS and pw(8) X-Mailer: VM 8.2.0b under 24.5.1 (amd64-portbld-freebsd10.3) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (hergotha.csail.mit.edu [127.0.0.1]); Fri, 09 Sep 2016 16:04:40 -0400 (EDT) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED, HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hergotha.csail.mit.edu X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2016 20:04:43 -0000 Presently, we have a bunch of machines under configuration management (using Puppet, but that's not really relevant here). I'm hoping to implement LDAP via nsswitch on these machines, but I've run into an issue: the standard getpw*(3) mechanisms can't tell the difference between users or groups in the local databases and those in the remote LDAP database. We need Puppet to manage entries for users and groups in the local database, without respect to what entries might be imported from LDAP (because they are supposed to override the data returned by LDAP). Puppet invokes pw(8) to actually perform the modifications, but I suspect it also uses native code from the Ruby standard library to actually do pre-modification lookups. Looking at the code in both nss-pam-ldapd and libc, it seems like the only plausible way to fix this is to add functionality to nsswitch which would allow it to use different configurations depending on the identity of the process invoking getpwnam(3) or getgrnam(3). Does anyone have opinions on how this ought to be implemented, or indeed how it could be implemented securely? (As a side issue, the net/nss-pam-ldapd port completely ignores account expiration dates. This bug is due to the fact that Linux has this ships-in-the-night "shadow" mechanism, getspent(3), rather than having it integrated in getpwent(3) like it should be, but the ultimate upshot is that if you're using nss-pam-ldapd you can't rely on shadowExpire attributes in the directory actually have an effect on FreeBSD. I'll open a bugzilla issue about this.) -GAWollman