The posixAccount objectClass does not exist in this customer’s LDAP nor in their Active Directory. I have read other internet chats about mapping other ldap attributes (e.g. employeeid) to uidNumber. However, I have browsed the full contents of the customer’s user attributes in both LDAP and AD directory and see only one attribute that looks like a unique number that possibly could be mapped to uidNumber. Unfortunately I have also read that this uidNumber must be between 1000...65533 and so I think I am out of luck there.
I want to quickly explore feasibility of another approach. The article at https://lists.arthurdejong.org/nss-pam-ldapd-users/2015/msg00053.html starts with the idea about mapping the employeeid as uidNumber but then “hard coding” other values such as gidNumber and loginShell as shown below
map passwd uid uid
map passwd uidNumber employeeid
map passwd gidNumber "1000"
map passwd gecos "${gecos:-$cn}"
map passwd homeDirectory "/home/$uid"
map passwd loginShell "/bin/bash"
I want to take this idea one step further and hardcode the uidnumber and homedirectory as well as shown below.
map passwd uid uid
map passwd uidNumber "1000"
map passwd gidNumber "1000"
map passwd gecos "${gecos:-$cn}"
map passwd homeDirectory "/home/admin"
map passwd loginShell "/bin/bash"
I only have one class of users allowed to login directly to the API appliance: FULL ADMINISTRATORS. What I care about is that they authenticate themselves using their own id and password against the customer LDAP. Then based on some /etc/sudoers file config, they will be able to sudo su - root or sudo su - ssgconfig without a password. I can guess what I might lose is auditing given each person that logs in will have the same uidnumber. However this is better than allowing them to share the passwords for ssgconfig and/or root.
Thoughts about feasibility of this idea?