Hello,

I am trying to implement a login system one of my client's server. There will be a web access and a console access for the same user.

For the web interface, I have built a PHP-MySQL based system. For the console login, I have implemented PAM-MySQL and NSS-MySQL to use my user database created by the web system.

My client requested me to do something different. They are going to use 2 domains, for example example1.com and example2.com. The person who can login to example1.com will not login to example2.com. A person can register to example1.com with an username of "cyro" and also another person can register example2.com with "cyro". These users should be different, because they are registered under different domain names. But all users will be hosted in the same database with different user ids. For example, cyro user of example1.com has an user id of 5000 and cyro user of example2.com has an user id of 5500.

Is it possible to store same username with different user ids and enable console access (using SSH) seperately for both "cyro" accounts?

I know it sounds silly and as far as I know, Linux accounts doesn't work like the way my client wants but I just want to know the possibility. You can just say "it is impossible" and that would be OK for me.

Thanks

Hi Cyrolancer,

Interesting requirement from the client :-)

As I can understand you have got two domains. One is example1.com and other is example2.com. There is a common database which keeps record of users from both domains. Now you want that users from example1.com should only be able to ssh/connect to the machines from example1.com and they should not have any access to machines from example2.com either via ssh/other methods. Is that correct?

It is not possible if linux is referring local authentication (/etc/passwd) because you cannot have two users with the same userid. I am pretty sure that you have configured your linux to use the database which you have created for authentication. Am I right? If that is the case then you can make use of the mechanism that LDAP uses that is identifying the user via distinguised name. Here is how it works:

I have created a user say cyro under users container in example1.com. Then dn for this user will be dn: cn=cyro,ou=users,ou=example1,o=com. Similary, if I create another user with the same name under users container in example2.com then his dn will be dn: cn=cyro,ou=users,ou=example2,o=com

The above is an example how LDAP searches for a users. I have no idea how you will implement that with your database. But this is one way you can achieve what you are looking for. Provided you make it work :-)

Hello T3RM1NVT0R,

Thank you for your answer.

That is correct.

You are completely correct. I am using PAM-MySQL and NSS-MySQL to get user info from MySQL database, having unique UID, GID and username. In my client's case, UID and GID will be unique but username will not.

I have worked with LDAP before using MySQL for user database. Using default debian configuration, you need to setup a static DN for PAM and NSS utilities. I don't know it is possible to define;

if user is coming from example1.com
use ou=users,dc=example1,dc=com on ldap-server1
else if user is coming from example2.com
use ou=users,dc=example2,dc=com on ldap-server1
else
use mysql database

(Note that, both LDAP connections to ldap-server1)

For me, LDAP is not simple to use. I know it is a high performance database for use with login systems. Even Active Directory of M$ uses an implementation of LDAP. I have managed several systems under one domain controller but having 2 separate domains under Windows, but I don't know PAM can handle such implementation.

I gave some more thought on this scenario and it appears like it will not be possible to use the same username. Even if you think of ldap contextless login then also system will get confused as to which context user to pick up.

Unless we have mechanism in place that will ask the users to enter full dn and then authenticate. Without that this does not look achievable because we are confusing the system as to which user to pick up.

What about Kerberos authentication with LDAP? I think we can assign realms in Kerberos method but is it possible to login to same server, with using different realms? (I think, different realms mean different users but we can have the same username for these different realms. The users with the same username are not pointing to the same account.)

Sounds complicated. Hope I explained well.

Kerberos realm is same as that of domain in Windows and context in ldap. And it is used to basically enhance the security. How that will help in this scenario? As you said earlier you are looking for something like this:

This will only be possible in the following scenarios:

1. You have seperate database for both domains.
2. If the above is not possible then making user to type in username in the form of dn. That is the only way I can think if you want to differentiate two users in a common database.

Thing that is a challenge is how system will uniquely identify the user on the network. I am not aware of any method other than the 2 I have mentioned above. Even somehow we make the system to perform a search of a particular user from top level then also it will get confuse when it will come to username as to which one to pick the one in users.example1.com or users.example2.com.

I have though setting up different realms can solve this issue. Still doing some research on it, but I have found nothing up to now, as you said. Maybe, somehow, we could set up a SSH login name as cyro@example1.com, then the things would work.

According to my research on your suggestions, it is not possible to set multiple DNs for use in pam-ldap module. Or is it possible somehow?

I don’t agree. This is possible and each of them can have his/her own home but they can also access/change the other user’s home due to the same uid.

AFAICS there is at least a “where” clause for PAM-MySQL, and it looks like a custom query could be constructed for NSS-MySQL too. Then it should be possible to have an additional field for the server (i.e. domain) in the database to which this one this entry applies.

@ Reuti,

How you can do that? Are you talking about directly editing /etc/passwd? Or is there another way to do that? Even if that is possible I do not see any point in confusing the system as to which id we want him to login the user with. Here I am only talking about /etc/passwd authentication, no other authentication method involved.

For listing the user in ls -l or the above id command, it will just show one of them. Nevertheless both have different home directories and different passwords.

But this won’t help the OP, as he wants the opposite.

Yes, OP is asking for same userid but different UID. And I am not aware of creating two users with same userid.

Obviously a misunderstanding: for me UID and userid is the same, therefore I was answering - the numerical identifier of the defined username. Also man useradd explains -u with setting the userid to the specified number.

It seems the question is solved.

Thank you for the information you have provided.