How to handle centralized user authentication without LDAP?

user-management ldap pam nss

I'm attempting to create a centralized database for my users for my server and web accesses, so that I can allow those users to log in through ssh if they have access, and through my web services to view their account and system information.

I've read about LDAP, but I want to be able to manage the users in a different database such as Postgresql so I can more easily tie the database into my web services, and control the SQL migrations and schemas if I need more user details.

I looked into something like Puppet, but it's a little too much for what I'm looking to do, and I don't need to manage multiple servers at the moment. I tried to research how Puppet handles server user auth but I didn't find too much information.

My question: Is there a way to create a centralized database of user information in something other than LDAP, such as Postgres, that I can use to authenticate ssh and web users against?


Yes.

System authentication on Linux and UNIX systems has been through the PAM, Pluggable Authentication Modules for decades.

The PAM principle is that if you want to use a new authentication back-end you don't need to recompile all applications that use authentication such system auth, ssh, ftp, telnet sudo etc. Simple load the correct module and everything that uses PAM can automatically use the new authentication back-end.

So if your applications use PAM (and many, many do) and there either already exists or you can create a PAM module for your alternate user/authentication store you're done.

pam-pgsql is one such PAM modules that uses a table in a PostGres SQL database. That would make integration with web application easy as well, or you could use the PAM integration of your webserver as well for authenticated access.

In addition some applications have native integration with database backends, outside of PAM.


LDAP really does three things on linux machines:

Authentication:

This is the realm of PAM, it's using username/password to verify that the user is the user.

Authorization:

Here is where PAM doesn't meet the need, PAM is on/off, you either get approval or you don't. Authorization is about group membership.

Attributes:

Where's your home directory? What's your name?

The last two items are handled by nss backends. If you look in /etc/nsswitch.conf you'll find that it uses standard backends to convert system calls to ldap lookups.

If you don't want to use LDAP, then you'll need to use a different version of the nss plugin libraries that support the database you want to use. Some of these exist, but you're reinventing a rather large wheel.

As far as puppet goes, it uses ssl certs for client authentication. Somewhat similar in the way in which ssh does.

Related

Alternative to multiple WordPress installs (and not using WordPress-mu)
RHEL: Errata Explained
How to log commands/logins in linux?
554+5.2.0+STOREDRV.Submission.Exception:SendAsDeniedException in IIS SMTP Relay When Scanning to Email from a Sharp MX-M364N
Smart UPS 2200 question
Nginx HHVM Wordpress issue with PHP Execution in one intermediate subdirectory
Puppet - Any way to copy predefined custom configuration files for software on clients from the puppet master (host)?
using correct number of DIMMS for best memory performance Intel Xeon scalable cpu
Proxy URL to different port via Lighttpd
IIS 7 - 401.2 error by hostname but not by IP address
IP addresses and geographical locations
NetScaler Gateway for MAC is not connecting correctly: Protocoll shows "AGAS: Failed to initialise ssl vpn plugin"