Ldap – Filter LDAP user through PAM so it appears to not exist at all

ansiblecentos7ldappamsssd

In our corporate environment long ago some wiz decided to put the user "mysql" into LDAP.

The account is disabled:

$ sudo su - mysql
This account is currently not available.

…but it's id still exists:

$ id mysql
uid=2050913(mysql) gid=867(ENG) groups=867(ENG)

This makes mariadb installations fail on CentOS7 because /var/run/mariadb is created by a tmpfile rule which tries to assign the directory to be owned by mysql. But mysql doesn't exist until LDAP/networking is up and running, and the mariadb install doesn't create the mysql user because the user already exists in ldap.

Is there a way to locally force PAM (or something?) to ignore the user mysql in LDAP? Or rename the ldap mysql user to mysql_ldap?

Is my only workaround to manually add the entry in /etc/passwd? (Or change the mariadb config to use different username.) I'd rather have minimal changes to the config and systemd files that come from the rpm.

(And I don't have high hopes of removing mysql from LDAP as that could break a lot of legacy infrastructure.)

I'll be using ansible, btw, to implement the change.

Additional:

I've changed the title of the question:

I have found that if I do add the local "mysql" user that it works ok, unless I have files owned by the userid of the LDAP "mysql" user. If I ls -la the files, it then pollutes the nscd (or sssd) cache and "mysql" again resolves to the LDAP user. It seems what I really want is to somehow construct a PAM filter for accounts to make this LDAP "mysql" user disappear.

Best Answer

Here's my final solution, coded in ansible:

- name: Disable ldap users                                                  
  ini_file: dest=/etc/sssd/sssd.conf section='nss' 
            option=filter_users value={{ filter_ldap_users | join(",") }}
  register: sssd_conf_users                                                   

- name: Disable ldap groups                                                 
  ini_file: dest=/etc/sssd/sssd.conf section='nss' 
            option=filter_groups value={{ filter_ldap_groups | join(",") }}
  register: sssd_conf_groups                                                  

- name: Restart SSSD                                                        
  when: sssd_conf_users.changed or sssd_conf_groups.changed                   
  service: name=sssd state=restarted                                          

- name: Flush NSCD cache                                                    
  when: sssd_conf_users.changed or sssd_conf_groups.changed                   
  shell: "for db in /var/db/nscd/*; do nscd -i $(basename $db); done"         

- name: Flush SSSD cache                                                     
  when: sssd_conf_users.changed or sssd_conf_groups.changed                   
  command: /usr/sbin/sss_cache -E
Related Topic