Ubuntu 18.04.3 server, slapd running, LDAP auth configured with libnss-ldapd and libpam-ldapd packages (all on the same machine). Created a local user with useradd and a user in the LDAP database with the same username, different numerical UIDs, different passwords. Logging in with this username by SSH works with each of the two passwords, and in each case, the local user will be logged in. The latter is to be expected, since using the order files ldap in nsswitch.conf. However, it worries me that the password stored in LDAP grants access to the local user. This even works when I lock the local user with passwd --lock.
Is the described behavior to be expected, or did I configure something wrong?
As a possible solution, I changed the order in passwd and group in nsswitch.conf to ldap files. Now, only the LDAP password works and will log me in under the UID stored in LDAP. Is it a good idea to use this order for passwd and group?
Addendum: Here is another idea, using order files ldap. Ultimately, I want to prevent logins per SSH as local users using LDAP credentials. Easiest would be to ensure there are no username collisions. For practical purposes, this could be done by prefixing LDAP usernames with some string that would make it highly unlikely that such a username occurs as local user (my local users are mostly system users). However, my users (the persons) prefer usernames without such a prefix. But they do not care about their group names. So I create groups with names that are highly unlikely to collide with a local group. Then I put all LDAP users in one of those groups. Finally, I use MatchGroup in sshd_config to allow only those groups to SSH into the machine (in addition to root and a few others, where I explicitly ensure that they are not used as usernames in LDAP).
It should be noted that my set of local users is small and mostly constant; but small changes over time may still happen, for example when a package is updated or a new package is installed. Therefore, it is not feasible to just give a list of usernames that are forbidden in LDAP and take not further measures.
Addendum 2: Same problem on the clients (running Debian) that use the LDAP server to authenticate users. If there is a local user (on the client) and a user in LDAP of the same name, we can log in to the client as the local user using the credentials stored in LDAP! Oh dear. The trick described in the previous addendum can be used here as well, fortunately. The means to implement this here would be pam_listfile.
Addendum 3: Be particularly careful with supplementary groups in LDAP. The situation can arise that a user is being logged in with UID and GID like stored in passwd on the client, but with supplementary groups as given in LDAP. Yes, it's getting more and more crazy. So, the pam_listfile workaround mentioned above should always consider the primary group.
In conclusion, I think this is a bug.
