My organization has to get rid of their ldap servers, so I am facing the task of replacing it's functionality. To make this as customizable and future-proof as I can, I am looking for something that can run on any webserver, so in the future could be reimplemented in nginx, apache2 or whatever using anything from from php to js.
So far I have found a replacement for pam: The pam_oauth2.so module by quarxConnect queries a custom oauth2 implementation, that can be setup to pull it's data from anywhere.
This works quite nicely as a drop-in replacement for pam_sss.so in the pam configuration.
It doesn't however replace ldap in nss or autofs. autofs could be solved on the file servers side, but I couldn't find anything for nss.
I am really grasping at straws now, to the point where I have considered making the /etc/passwd and /etc/groups files sockets to a program, which queries the required data from a webAPI and constructs a file on-the-fly. I have no experience on how to implement that though, and it seems like a stupid solution frankly. sssd appears to do the same thing, but it can somehow detect which user's info is needed, so only construct that line.
If someone could point me to some documentation on how to build a module for nss, that would be great too. I couldn't find what calls such a module would have to answer and how I could call it from nss (nsswitch.conf uses aliases of some sort, not paths or filenames to some dir, from what I can tell).
I am fairly deep down this weird road, but am open to entierly different replacement approaches as well. Even something weird like a web-server implementation of an ldap-server which talks ldap to clients but pulls it's data from wherever. I'd prefer a simpler protocoll though.
userPassword), but it doesn't have to be. Is the intent just to get away from LDAP as an authentication source? Or is your organization trying to get out of the business of running a directory altogether?