Implement username extraction mechanism using regular expressions #42
Commits on Jan 7, 2021
-
Implement username extraction mechanism using regular expressions
The implemented functionality allows extracting LDAP usernames from usernames supplied to PAM. The regular expression-based mechanism provides a simple but efficient technique to use prefixes and/or suffixes to distinguish local and LDAP users preventing username clashes. For example, there is a local UNIX user account johndoe. The same user has a corporate LDAP account uid=johndoe,cn=users,dc=domain,dc=net. The following configuration allows this user to log in with a local account johndoe - in this case, pam_unix handles the authentication and pam_ldap is skipped on success. At the same time, [email protected] won't be authenticated by pam_unix, so that pam_ldap will extract the username using the regular expression ^(.*)@domain.net$ and try to authenticate johndoe against the LDAP server. Also, in this example, we use Google Authenticator based 2fa authentication for both local and LDAP users. auth [success=1 default=ignore] pam_unix.so auth requisite pam_ldap.so use_first_pass [extract_username=/^(.*)@domain.net$/] auth required pam_google_authenticator.so [authtok_prompt=Enter an authenticator app code.] Configuration options: extract_username=[0..9]/regex_pattern/[i] The first number specifies the regex capturing group to be used for username extraction. In some complex regex expressions with multiple groups, this allows to explicitly specify the group number needed. E.g. 2/^(EXT|EXTERNAL)\\(.*)$/ The number could be omitted, the default value is 1. The optional trailing flag 'i' indicates that the regex match will be case-insensitive. extract_username_required This flag indicates that successful extraction is mandatory to authenticate the user. Otherwise, if extraction fails, pam_ldap will try to authenticate the user with the originally provided username. Signed-off-by: Andriy Sharandakov <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.