2

I want to manage users locally on an RHEL 9 system. I want to create, delete, associate with groups all locally. However I want their password to be validated against LDAP. If they don't exists in ldap, that is OK and they should authenticate using local files authentication. I don't want it to create a user or grant access if the user does not exists in the local /etc/passwd file.

What I don't want is an integration that joins the system to a domain or retrieves groups from ldap or even requires an ldap user to be defined to be logged in. All I want is password verification if a local user exists in ldap.

Surely this is possible but so far I have been driven to sssd like it is the only solution and I have yet to get that to work the way I want it to. Assistance would be greatly appreciated.

Paul Lemmons
  • 21

1 Answers1

2

Any PAM module capable of talking to AD would do the job, as long as you configure only PAM and not /etc/nsswitch.conf1. PAM is what handles authentication checks; nsswitch is what retrieves user information.

The choice of PAM module doesn't matter much; you'd integrate any of them into PAM in exactly the same way. Either SSSD (pam_sss) or Nslcd (the "new" pam_ldap) could be used.

Personally I would use pam_krb5, as Kerberos is the actual authentication protocol that AD uses (whereas verifying passwords against LDAP is a bit like verifying passwords against FTP), but, admittedly, Kerberos does have an additional requirement of creating a computer account via 'adcli' and getting a host keytab (i.e. the central part of a "domain join") so that might not be acceptable to you depending on situation.

Similarly, even Samba's pam_winbind would work too, though it requires a full domain join and is definitely overkill here, but the core concept remains the same. (That is, you could go through RHEL's full domain join procedure and follow up by disabling AD in nsswitch.conf – leaving only PAM – and you'll have the desired result.)

1 (That is, you want the complete opposite of the 'accepted' answer in the other thread that Greg has linked to.)

grawity
  • 17,092