3

I'm attempting to create a centralized database for my users for my server and web accesses, so that I can allow those users to log in through ssh if they have access, and through my web services to view their account and system information.

I've read about LDAP, but I want to be able to manage the users in a different database such as Postgresql so I can more easily tie the database into my web services, and control the SQL migrations and schemas if I need more user details.

I looked into something like Puppet, but it's a little too much for what I'm looking to do, and I don't need to manage multiple servers at the moment. I tried to research how Puppet handles server user auth but I didn't find too much information.

My question: Is there a way to create a centralized database of user information in something other than LDAP, such as Postgres, that I can use to authenticate ssh and web users against?

josh
  • 257
  • 2
  • 12

3 Answers3

4

Yes.

System authentication on Linux and UNIX systems has been through the PAM, Pluggable Authentication Modules for decades.

The PAM principle is that if you want to use a new authentication back-end you don't need to recompile all applications that use authentication such system auth, ssh, ftp, telnet sudo etc. Simple load the correct module and everything that uses PAM can automatically use the new authentication back-end.

So if your applications use PAM (and many, many do) and there either already exists or you can create a PAM module for your alternate user/authentication store you're done.

pam-pgsql is one such PAM modules that uses a table in a PostGres SQL database. That would make integration with web application easy as well, or you could use the PAM integration of your webserver as well for authenticated access.

In addition some applications have native integration with database backends, outside of PAM.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
4

LDAP really does three things on linux machines:

Authentication:

This is the realm of PAM, it's using username/password to verify that the user is the user.

Authorization:

Here is where PAM doesn't meet the need, PAM is on/off, you either get approval or you don't. Authorization is about group membership.

Attributes:

Where's your home directory? What's your name?

The last two items are handled by nss backends. If you look in /etc/nsswitch.conf you'll find that it uses standard backends to convert system calls to ldap lookups.

If you don't want to use LDAP, then you'll need to use a different version of the nss plugin libraries that support the database you want to use. Some of these exist, but you're reinventing a rather large wheel.

As far as puppet goes, it uses ssl certs for client authentication. Somewhat similar in the way in which ssh does.

  • Can you explain the flow of authentication for a Puppet user? I.e. if I am a user in Puppet, how would I login through ssh as that user? Hopefully this makes sense... – josh Nov 14 '13 at 16:40
  • 3
    Your question makes no sense at all. Puppet is a tool for configuring systems, not for providing network based authentication/authorization protocols. You can have puppet manage the /etc/passwd file and add/delete user accounts on the system, but that's conceptually no different than editing those files by hand. – Fred the Magic Wonder Dog Nov 14 '13 at 18:05
  • 1
    @cacidol, I think you're missing the fact the "ssh access" is mediated by the operating system itself (which can be local or NIS or LDAP or other PAM module), whereas your web app might be using native authentication (the OS), or forms-based, which would depend on what you write into your web site. – mfinni Nov 14 '13 at 18:46
  • Yeah, I understand better now @FredtheMagicWonderDog and mfinni. I don't use Puppet but I use a system that does and so I wanted to know how Puppet handles authentication, but it seems that it doesn't according to Fred's other answer. I was curious how it worked if it did. – josh Nov 14 '13 at 19:23
0

Your puppet question should really be a different question, since it's not really related.

I've thought about what you're asking a bit more and one way you could implement what you want is to use a database query from within a puppet module. Since the puppet language is it's own thing and not an extension of a general purpose language, you'd likely have to write/find a puppet resource provider that would return a list of usernames and then have puppet manage the /etc/passwd, etc files on the machine.

This would be more straightforward to implement in chef. I'm sure it's possible in puppet. It's also possible( and IMHO best practice ) to update your LDAP server from database entries. It really depends on the scale at which you operate and how rapidly you want changes to propagate.