Filter LDAP user through PAM so it appears to not exist at all

Solution 1:

Here's my final solution, coded in ansible:

- name: Disable ldap users                                                  
  ini_file: dest=/etc/sssd/sssd.conf section='nss' 
            option=filter_users value={{ filter_ldap_users | join(",") }}
  register: sssd_conf_users                                                   

- name: Disable ldap groups                                                 
  ini_file: dest=/etc/sssd/sssd.conf section='nss' 
            option=filter_groups value={{ filter_ldap_groups | join(",") }}
  register: sssd_conf_groups                                                  

- name: Restart SSSD                                                        
  when: sssd_conf_users.changed or sssd_conf_groups.changed                   
  service: name=sssd state=restarted                                          

- name: Flush NSCD cache                                                    
  when: sssd_conf_users.changed or sssd_conf_groups.changed                   
  shell: "for db in /var/db/nscd/*; do nscd -i $(basename $db); done"         

- name: Flush SSSD cache                                                     
  when: sssd_conf_users.changed or sssd_conf_groups.changed                   
  command: /usr/sbin/sss_cache -E        

Solution 2:

On PAM level:
All you need is to ignore a user in LDAP. So, set up the particular LDAP client you're using, In CentOS it would be sssd, to use a custom LDAP UID/GID lookup fileters which will ignore the "mysql" record. On an existing system you will have to then clean sssd cache and restart it and the user will be gone. Reinstallation of mariadb will then create a local mysql user.

On package level:
Set up a custom Yum repo somewhere on the network that will include a package that contains a post-install script, fixing the mysql user problem. You'll also have to put the mariadb package in that repo. Then, define a package group which will include that package and mariadb and install it.
Alternatively, you could rebuild the mariaDB package with an updated, more intelligent post-install script that will take care of the mysql user creation.

I'd go with A - B is somewhat obfuscated :)

Solution 3:

Here's something I'm using currently as a workaround. I've added this to my kickstart file to run at %post -- before I enable/setup LDAP:

# Install and de-install mariadb-server to create mysql
# user before LDAP is enabled.
yum -d1 -e1 -y install yum-plugin-remove-with-leaves mariadb-server
yum -d1 -e1 -y erase mariadb-server --remove-leaves

I was going to run the useradd manually from having read the mariadb-server spec file: http://pkgs.fedoraproject.org/cgit/mariadb.git/tree/mariadb.spec

%pre server
/usr/sbin/groupadd -g 27 -o -r mysql >/dev/null 2>&1 || :
/usr/sbin/useradd -M -N -g mysql -o -r -d %{mysqluserhome} -s /sbin/nologin \
  -c "MySQL Server" -u 27 mysql >/dev/null 2>&1 || :

...but I'm more comfortable taking it straight from installing the rpm.

I'm not completely satisfied with this as well because if I happen to find a file with the ldap "mysql" userid, the reverse lookup on the user id pollutes nscd or sssd with the wrong "mysql" user.

Solution 4:

I would actually suggest to add:

filter_users = mysql
filter_groups = mysql

To the [nss] section of sssd.conf instead of customizing the LDAP filter. It should do the same thing, except that when you use the LDAP filter way, the searches still hit the LDAP server, just don't match.

In contrast, the filter_users/filter_groups would enter the mysql user into the negative cache of SSSD, which would return "Not found" directly from the NSS responder, without going to the sssd_be process and the LDAP server.