How to handle centralized user authentication without LDAP?

I'm attempting to create a centralized database for my users for my server and web accesses, so that I can allow those users to log in through ssh if they have access, and through my web services to view their account and system information.

I've read about LDAP, but I want to be able to manage the users in a different database such as Postgresql so I can more easily tie the database into my web services, and control the SQL migrations and schemas if I need more user details.

I looked into something like Puppet, but it's a little too much for what I'm looking to do, and I don't need to manage multiple servers at the moment. I tried to research how Puppet handles server user auth but I didn't find too much information.

My question: Is there a way to create a centralized database of user information in something other than LDAP, such as Postgres, that I can use to authenticate ssh and web users against?


Yes.

System authentication on Linux and UNIX systems has been through the PAM, Pluggable Authentication Modules for decades.

The PAM principle is that if you want to use a new authentication back-end you don't need to recompile all applications that use authentication such system auth, ssh, ftp, telnet sudo etc. Simple load the correct module and everything that uses PAM can automatically use the new authentication back-end.

So if your applications use PAM (and many, many do) and there either already exists or you can create a PAM module for your alternate user/authentication store you're done.

pam-pgsql is one such PAM modules that uses a table in a PostGres SQL database. That would make integration with web application easy as well, or you could use the PAM integration of your webserver as well for authenticated access.

In addition some applications have native integration with database backends, outside of PAM.


LDAP really does three things on linux machines:

Authentication:

This is the realm of PAM, it's using username/password to verify that the user is the user.

Authorization:

Here is where PAM doesn't meet the need, PAM is on/off, you either get approval or you don't. Authorization is about group membership.

Attributes:

Where's your home directory? What's your name?

The last two items are handled by nss backends. If you look in /etc/nsswitch.conf you'll find that it uses standard backends to convert system calls to ldap lookups.

If you don't want to use LDAP, then you'll need to use a different version of the nss plugin libraries that support the database you want to use. Some of these exist, but you're reinventing a rather large wheel.

As far as puppet goes, it uses ssl certs for client authentication. Somewhat similar in the way in which ssh does.