Is it possible to use an alternate home directory and not the system /etc/passwd file?
I’ve got the server configured for single sign on with OpenID Connect and I’d like
to not have to define the users in the passwd file. I tried enabling UserDir in userdir.conf
but it still uses the system. I’m open to a simple mapping, using ldap or even dbm.
If all you want is LDAP, FreeIPA might be overkill. The underlying LDAP in FreeIPA is 389DS from RedHat which you can deploy by itself. 389 Directory Server - Documentation. 389DS does have a graphical UI component but it also behaves like standard LDAP so can be configured with cn=config changes.
Where is the OpenID Connect identities coming from? Generally the thing doing OpenID Connect would also be the thing defining home directories unless you are doing SSO from some external identity provider that isn’t local. At OSC our OIDC setup uses Keycloak which allows SSO via our local LDAP so Keycloak and the underlying host all have access to the same LDAP data.
If the usernames from your OIDC match local LDAP user names, then you will need to configure the local identity stack on OnDemand host to look at LDAP so it can map usernames to home directories. I’d recommend SSSD.
Once SSSD is configured, start the service via systemctl start sssd. If it’s not already installed, will of course have to install and it should be available in OS repos as most major distros support SSSD.
It’s worth noting we have a lot of custom schemas added which is why we use rfc2307bis and 389ds configs as we added those schemas to expand what we could do with OpenLDAP.
mod_userdir is intended to be used to allow people to access a user’s home directory via web browser so that many users could easily share their home directory contents via Apache. It won’t help with OnDemand I don’t think since OnDemand is asking the Linux host for the home directory value so the Linux host, not just Apache, needs to be aware of the home directory path.
Depending on the path, you could setup SSSD to map the home directory:
override_homedir = /home/%u
If the home directory is the above pattern, then you could setup SSSD to map but the SSSD service still needs to be told what users exist so the Linux host knows which users exist would get you back to either using /etc/passwd or LDAP. Also with OnDemand the UID/$HOME/etc used on the OnDemand host must match those values used on the compute nodes since it’s expected the home directory on the OnDemand host is also accessible for compute nodes and with things like Slurm and likely other schedulers, the usernames and UIDs between those various systems must all match so either you’d be making /etc/passwd updates to OnDemand and the HPC cluster or using LDAP to keep both sides in sync.