[systemd-devel] Some questions on userdbd and providing a compatible service
killermoehre at gmx.net
killermoehre at gmx.net
Thu Nov 24 10:05:08 UTC 2022
> Am 24.11.2022 um 00:58 schrieb Dominik George <nik at naturalnet.de>:
>
> Hi,
>
> for some time now, I have been investigating how to best make a
> desktop system talk to a web API (HTTP, REST) for user management, so
> NSS and PAM make HTTP requests to an API to verify authentication
> (using OIDC) and to retrieve NIS information (using REST endpoints).
>
> One of the approaches I am evaluating involves systemd-userdbd,
> because it seems to be designed with extensibility with modular
> service implementations in mind.
>
> Right now, I have a few questions concerning its architecture and use:
>
> * Why was Varlink chosen over D-Bus, given that most other parts of
> systemd seem to talk D-Bus?
>
> * How does protection of privileged fields work? In a different
> approach (using my own gRPC-based protocol), I used peer
> credentials on the UNIX socket for authorisation, but it seems this
> should break with userdbd when going through the
> multipelxer. However, I see "Warning: lacking rights to acquire
> privileged fields of user record of 'testnik', output incomplete."
> when I try to inspect another user as an unprivileged user. How
> does userdbd determine that?
>
> * userdbd only helps for user information, i.e. for providing data to
> NSS through a decoupled interface. I would need to do the same for
> PAM, but intil now, I could not find an existing standard for
> verifying credentials. Was that just not done yet, or is there a
> design decision that userdbd should not offer methods for
> authentication? I see that systemd-homed implements its own API
> through D-Bus…
>
> * Ultimately, I would like to retrieve and store an OAuth token on
> user login. It would somehow be a good fit for the "secret" section
> of the User Record, but the fields allowed in it seem to be
> static. Are there any ideas around here where such a token could be
> stored during the user session?
>
> Thanks for your help,
> Nik
Hi Nik,
IMHO your best solution would be to use https://sssd.io/ and https://www.keycloak.org/ to bundle your systems together.
Keycloak would speak to your OIDC provider and translates the information in something sssd can understand. sssd than is put into your nsswitch.conf as provider for users, groups, etc.
HTH
Silvio
More information about the systemd-devel
mailing list