I'm managing a Linux CentOS system that works as a fileserver (and more) - accessed through SSH.
For the purposes of authentication, we are using pam-ldap with the company ldap-server. User creation and group membership is managed on the linux system.
When a user logs in, the authentication will be handled by pam-ldap.
Currently, we have configured pam-ldap to search only in the country specific part of the ldap-server, when looking up a user.
We have then handled anyone outside the country by creating a local user account for them.
However, we have seen an increasing number of out-of-country colleagues needing access to the server.
The problem with using the local users is that they need special handling to enforce password strength and change rules that we get automatically with the ldap authentication.
Today, we use an ldap base similar to this
c=us,ou=auth,o=company.tld.
For out-of-country colleagues, the base would need to be slightly different, e.g.
c=uk,ou=auth,o=company.tld
Unfortunately, we cannot simply remove the country component of the base, because the logins we use today are only unique within a country.
For each login, we know the proper base to use, but it is not clear to me, how we would (automatically) feed this information into the authentication process.
Can this be done?
Thanks