集成SSH和AD的账号验证

依赖软件包

• libnss-ldap 比 libnss-ldapd 旧
• libpam-ldap 比 libpam-ldapd 旧

如何取uid和gid

AD可以启用unix扩展属性，提供兼容的uid。
但是不知道自家AD是否启用了unix扩展属性，与其花时间弄清不如选择无视(知道也没用)。
目标是，以AD登录的用户，拥有独立且唯一的uid，且不依赖AD的扩展属性。

依赖新版本支持map SIDs的 nslcd(> 0.8.13)，
这段脚本获取自家AD的UID，取前部分作为uidNumber，具体实现如下，

1. 在自家AD找一个 objectSid

   ldapsearch -h 10.x.x.x ...(略) | grep objectSid
   Enter LDAP Password: 
   objectSid:: AQUAAAAAAAUVAAAAy4aPm+luzXZjPP0FxykAAA==
   

2. objectSid 代入脚本后执行，得到一个新的 ID，输出类似于，注意高亮的部分
   #S-1-5-21-1391733952-3059161487-124544123#-12345
#S-1-5-21-2609874635-1993174761-100482147#-67890

   #!/bin/bash
   
   # Base-64 encoded objectSid
   OBJECT_ID="AQUAAAAAAAUVAAAAPWW1S5rojK4mDAiG5BAAAA=="
   
   # Decode it, hex-dump it and store it in an array
   G=($(echo -n $OBJECT_ID | base64 -d -i | hexdump -v -e '1/1 " %02X"'))
   
   # SID in HEX
   # SID_HEX=${G[0]}-${G[1]}-${G[2]}${G[3]}${G[4]}${G[5]}${G[6]}${G[7]}-${G[8]}${G[9]}${G[10]}${G[11]}-${G[12]}${G[13]}${G[14]}${G[15]}-${G[16]}${G[17]}${G[18]}${G[19]}-${G[20]}${G[21]}${G[22]}${G[23]}-${G[24]}${G[25]}${G[26]}${G[27]}${G[28]}
   
   # SID Structure: https://technet.microsoft.com/en-us/library/cc962011.aspx
   # LESA = Little Endian Sub Authority
   # BESA = Big Endian Sub Authority
   # LERID = Little Endian Relative ID
   # BERID = Big Endian Relative ID
   
   BESA2=${G[8]}${G[9]}${G[10]}${G[11]}
   BESA3=${G[12]}${G[13]}${G[14]}${G[15]}
   BESA4=${G[16]}${G[17]}${G[18]}${G[19]}
   BESA5=${G[20]}${G[21]}${G[22]}${G[23]}
   BERID=${G[24]}${G[25]}${G[26]}${G[27]}${G[28]}
   
   LESA1=${G[2]}${G[3]}${G[4]}${G[5]}${G[6]}${G[7]}
   LESA2=${BESA2:6:2}${BESA2:4:2}${BESA2:2:2}${BESA2:0:2}
   LESA3=${BESA3:6:2}${BESA3:4:2}${BESA3:2:2}${BESA3:0:2}
   LESA4=${BESA4:6:2}${BESA4:4:2}${BESA4:2:2}${BESA4:0:2}
   LESA5=${BESA5:6:2}${BESA5:4:2}${BESA5:2:2}${BESA5:0:2}
   LERID=${BERID:6:2}${BERID:4:2}${BERID:2:2}${BERID:0:2}
   
   LE_SID_HEX=${LESA1}-${LESA2}-${LESA3}-${LESA4}-${LESA5}-${LERID}
   
   # Initial SID value which is used to construct actual SID
   SID="S-1"
   
   # Convert LE_SID_HEX to decimal values and append it to SID as a string
   IFS='-' read -ra ADDR <<< "${LE_SID_HEX}"
   for OBJECT in "${ADDR[@]}"; do
     SID=${SID}-$((16#${OBJECT}))
   done
   
   echo ${SID}
   

3. 将最后一个分割符(-)之前的字符串，作为 uidNumber 的参数值

   ##################################### S-1-5-21-2609874635-1993174761-100482147-67890
   #map   passwd uidNumber     objectSid:S-1-5-21-2609874635-1993174761-100482147
   #map   passwd gidNumber     objectSid:S-1-5-21-2609874635-1993174761-100482147
   #map    group gidNumber     objectSid:S-1-5-21-2609874635-1993174761-100482147
   # grep uidNumber /etc/nslcd.conf
   #                                     S-1-5-21-1391733952-3059161487-124544123-12345
   map    passwd uidNumber     objectSid:S-1-5-21-1391733952-3059161487-124544123
   map    passwd gidNumber     objectSid:S-1-5-21-1391733952-3059161487-124544123
   map     group gidNumber     objectSid:S-1-5-21-1391733952-3059161487-124544123
   

4. 就OK了

   root@nj-lab-2-it:~# id svn
   uid=10695(svn) gid=10695 groups=10695,24905(U_EFSS_CN),52536(U_SBC_RSI_ALLOW)