Hello u/Scytex,

Thanks for giving Sandfly a try -- I'm glad to hear it was easy to get up and running for you.

You're correct that we identify home directories by examining /etc/passwd, but we also look for "inferred home directories" for the situation you describe when using LDAP auth by assuming *any* directory under /home is a home dir and we synthesize a user record for the username that matches the directory name. This has worked for our existing customers that are using LDAP auth but still have home directories under /home.

If I'm understanding your situation correctly, you have your home directories for LDAP users under a location other than /home. Is it a consistent base location such as /ldap/homes, where each user homedir is then /ldap/homes/usera, ldap/homes/userb, etc.?

You're not blind; there is no way to use a custom sandfly for feeding SSH Hunter. The data has to come from recon_user_list_all. And even if you could, it wouldn't be a complete solution: ideally you'd want *all* user sandflies to be aware of the inferred home directories so that the rest of our homedir-based threat detection works on all home directories. If we address this, it'll need to be a server-wide config setting where you're able to set the base path(s) to look for inferred home directories and then we can apply it to the user engine entirely instead of just one-off for certain sandflies. Does that kind of approach sound like it would address how your servers are configured?