mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
304 lines
10 KiB
Groff
304 lines
10 KiB
Groff
.TH SLAPO-NSSOV 5 "RELEASEDATE" "OpenLDAP LDVERSION"
|
|
.\" Copyright 1998-2012 The OpenLDAP Foundation, All Rights Reserved.
|
|
.\" Copying restrictions apply. See the COPYRIGHT file.
|
|
.\" $OpenLDAP$
|
|
.SH NAME
|
|
slapo-nssov \- NSS and PAM requests through a local Unix Domain socket
|
|
.SH SYNOPSIS
|
|
ETCDIR/slapd.conf
|
|
.SH DESCRIPTION
|
|
The
|
|
.B nssov
|
|
overlay to
|
|
.BR slapd (8)
|
|
services NSS and PAM requests through a local Unix Domain socket.
|
|
It uses the same IPC protocol as Arthur de Jong's nss-ldapd, and
|
|
a complete copy of the nss-ldapd source is included along with the
|
|
nssov source code.
|
|
.LP
|
|
Using a separate IPC protocol for NSS and PAM requests eliminates the
|
|
libldap dependencies/clashes that the current pam_ldap/nss_ldap solutions
|
|
all suffer from. Both the original nss-ldapd and this nssov solution
|
|
are free from these library issues.
|
|
.LP
|
|
Unlike nss-pam-ldapd, since this overlay executes inside slapd it allows for
|
|
the possibility of sophisticated caching, without any of the weaknesses of
|
|
nscd and other related caching solutions. E.g., a remote LDAP database can
|
|
be accessed using back-ldap with proxy caching (see
|
|
.BR slapd-ldap (5)
|
|
and
|
|
.BR slapo-pcache (5)
|
|
) to leverage back-ldap's
|
|
connection pooling as well as pcache's persistent caching, to provide
|
|
high performance and a measure of support for disconnected operation.
|
|
Alternatively, cache considerations can be completely eliminated by running
|
|
a regular database with syncrepl to maintain synchronization with a remote
|
|
LDAP database.
|
|
.LP
|
|
Another major benefit of nssov is that it allows all security policy to be
|
|
administered centrally via LDAP, instead of having fragile rules scattered
|
|
across multiple flat files. As such, there is no client-side configuration at
|
|
all for the NSS/PAM stub libraries. (The stubs talk to the server via a Unix
|
|
domain socket whose path is hardcoded to /var/run/nslcd/). As a side benefit,
|
|
this can finally eliminate the perpetual confusion between OpenLDAP's
|
|
ldap.conf file in ETCDIR/ldap.conf and the similarly named files typically
|
|
used by pam_ldap and nss_ldap.
|
|
.LP
|
|
User authentication is performed by internal simple Binds. User authorization
|
|
leverages the slapd ACL engine, which offers much more power and flexibility
|
|
than the simple group/hostname checks in the old pam_ldap code.
|
|
.LP
|
|
To use this code, you will need the client-side stuf library from
|
|
nss-pam-ldapd. You can get it from:
|
|
http://arthurdejong.org/nss-pam-ldapd
|
|
You will not need the nslcd daemon; this overlay replaces that part.
|
|
To disable building of the nslcd daemon in nss-pam-ldapd, add the
|
|
--disable-nslcd option to the nss-pam-ldapd configure script. You
|
|
should already be familiar with the RFC2307 and RFC2307bis schema
|
|
to use this overlay. See the nss-pam-ldapd README for more information
|
|
on the schema and which features are supported.
|
|
.LP
|
|
You will also need to include the nis.schema in your slapd configuration
|
|
for RFC2307 support. If you wish to use RFC2307bis you will need a slightly
|
|
different schema. You will also need the ldapns.schema for PAM authorization
|
|
management.
|
|
.LP
|
|
You must select
|
|
.B ldap
|
|
in the appropriate services in
|
|
.I /etc/nsswitch.conf
|
|
in order for these NSS features to take effect. Likewise, you must
|
|
enable
|
|
.B pam_ldap
|
|
for the authenticate, account, session, and password services in
|
|
.I /etc/pam.conf
|
|
or
|
|
.I /etc/pam.d
|
|
for these PAM features to take effect.
|
|
|
|
.TP
|
|
.B overlay nssov
|
|
This directive adds the nssov overlay to the current backend.
|
|
.TP
|
|
.B nssov-ssd <service> <url>
|
|
This directive configures a Service Search Descriptor (SSD) for each NSS
|
|
service that will be used. The <service> may be one of
|
|
.RS
|
|
.nf
|
|
aliases
|
|
ethers
|
|
group
|
|
hosts
|
|
netgroup
|
|
networks
|
|
passwd
|
|
protocols
|
|
rpc
|
|
services
|
|
shadow
|
|
.fi
|
|
.RE
|
|
and the <url> must be of the form
|
|
.RS
|
|
.TP
|
|
.B ldap:///[<basedn>][??[<scope>][?<filter>]]
|
|
.RE
|
|
The
|
|
.B <basedn>
|
|
will default to the first suffix of the current database.
|
|
The
|
|
.B <scope>
|
|
defaults to "subtree". The default
|
|
.B <filter>
|
|
depends on which service is being used.
|
|
.TP
|
|
.B nssov-map <service> <orig> <new>
|
|
If the local database is actually a proxy to a foreign LDAP server, some
|
|
mapping of schema may be needed. This directive allows some simple attribute
|
|
substitutions to be performed. See the
|
|
.B nss-ldapd/README
|
|
for the original attribute names used in this code.
|
|
.TP
|
|
.B nssov-pam <option> [...]
|
|
This directive determines a number of PAM behaviors. Multiple options may
|
|
be used at once, and available levels are:
|
|
.RS
|
|
.RS
|
|
.PD 0
|
|
.TP
|
|
.B userhost
|
|
check host attribute in user entry for authorization
|
|
.TP
|
|
.B userservice
|
|
check authorizedService attribute in user entry for authorization
|
|
.TP
|
|
.B usergroup
|
|
check that user is a member of specific group for authorization
|
|
.TP
|
|
.B hostservice
|
|
check authorizedService attribute in host entry for authorization
|
|
.TP
|
|
.B authz2dn
|
|
use authz-regexp mapping to map uid to LDAP DN
|
|
.TP
|
|
.B uid2dn
|
|
use NSS passwd SSD to map uid to LDAP DN
|
|
.PD
|
|
.RE
|
|
|
|
Setting the
|
|
.BR userhost ,
|
|
.BR userservice ,
|
|
and
|
|
.B usergroup
|
|
options duplicates the original pam_ldap authorization behavior.
|
|
|
|
The recommended approach is to use
|
|
.B hostservice
|
|
instead. In this case, ipHost entries must be created for all hosts
|
|
being managed, and they must also have the authorizedServiceObject
|
|
class to allow authorizedService attributes to be used. Also the
|
|
NSS host SSD must be configured so that ipHost entries can be found.
|
|
Authorization is checked by performing an LDAP Compare operation
|
|
looking for the PAM service name in the authorizedService attribute.
|
|
.B slapd
|
|
ACLs should be set to grant or deny
|
|
.B Compare
|
|
privilege to the appropriate users or groups as desired.
|
|
|
|
If the
|
|
.B authz2dn
|
|
option is set then authz-regexp mappings will be used to map the
|
|
PAM username to an LDAP DN. The authentication DN will be of the
|
|
form
|
|
.RS
|
|
.B cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth
|
|
.RE
|
|
|
|
If no mapping is found for this authentication DN, then this
|
|
mapping will be ignored.
|
|
|
|
If the
|
|
.B uid2dn
|
|
option is set then the NSS passwd SSD will be used to map the
|
|
PAM username to an LDAP DN. The passwd SSD must have already been
|
|
configured for this mapping to succeed.
|
|
|
|
If neither the authz2dn nor the uid2dn mapping succeeds, the module
|
|
will return a PAM_USER_UNKNOWN failure code. If both options are set,
|
|
the authz mapping is attempted first; if it succeeds the uid2dn mapping
|
|
will be skipped.
|
|
|
|
By default only the
|
|
.B uid2dn
|
|
option is set.
|
|
.RE
|
|
.TP
|
|
.B nssov-pam-defhost <hostname>
|
|
Specify a default hostname to check if an ipHost entry for the current
|
|
hostname cannot be found. This setting is only relevant if the
|
|
.B hostservice
|
|
option has been set.
|
|
.TP
|
|
.B nssov-pam-group-dn <DN>
|
|
Specify the DN of an LDAP group to check for authorization. The LDAP user
|
|
must be a member of this group for the login to be allowed. There is no
|
|
default value. This setting is only relevant if the
|
|
.B usergroup
|
|
option has been set.
|
|
.TP
|
|
.B nssov-pam-group-ad <attribute>
|
|
Specify the attribute to use for group membership checks.
|
|
There is no default value. This setting is only relevant if the
|
|
.B usergroup
|
|
option has been set.
|
|
.TP
|
|
.B nssov-pam-min-uid <integer>
|
|
Specify a minimum uid that is allowed to login. Users with a uidNumber
|
|
lower than this value will be denied access. The default is zero, which
|
|
disables this setting.
|
|
.TP
|
|
.B nssov-pam-max-uid <integer>
|
|
Specify a maximum uid that is allowed to login. Users with a uidNumber
|
|
higher than this value will be denied access. The default is zero, which
|
|
disables this setting.
|
|
.TP
|
|
.B nssov-pam-template-ad <attribute>
|
|
Specify an attribute to check in a user's entry for a template login name.
|
|
The template login feature is used by FreeBSD's PAM framework. It can be
|
|
viewed as a form of proxying, where a user can authenticate with one
|
|
username/password pair, but is assigned the identity and credentials of
|
|
the template user. This setting is disabled by default.
|
|
.TP
|
|
.B nssov-pam-template <name>
|
|
Specify a default username to be used if no template attribute is found
|
|
in the user's entry. The
|
|
.B nssov-pam-template-ad
|
|
directive must be configured for this setting to have any effect.
|
|
.TP
|
|
.B nssov-pam-session <service>
|
|
Specify a PAM service name whose sessions will be recorded. For the
|
|
configured services, logins will be recorded in the
|
|
.B loginStatus
|
|
operational attribute of the user's entry. The attribute's values are
|
|
of the form
|
|
.RS
|
|
.RS
|
|
.B <generalizedTime> <host> <service> <tty> (<ruser@rhost>)
|
|
.RE
|
|
.RE
|
|
Upon logout the corresponding value will be deleted. This feature allows
|
|
a single LDAP Search to be used to check which users are logged in across
|
|
all the hosts of a network. The rootdn of the database is used to perform
|
|
the updates of the loginStatus attribute, so a rootdn must already be
|
|
configured for this feature to work. By default no services are configured.
|
|
.LP
|
|
The PAM functions support LDAP Password Policy as well. If the password
|
|
policy overlay is in use (see
|
|
.BR slapo-ppolicy (5)),
|
|
policy
|
|
information (e.g. password expiration, password quality, etc.)
|
|
may be returned to the PAM client as a result of authentication,
|
|
account management, and password modification requests.
|
|
|
|
The overlay also supports dynamic configuration in cn=config. An example
|
|
of the config entry is
|
|
.LP
|
|
.RS
|
|
.nf
|
|
dn: olcOverlay={0}nssov,ocDatabase={1}hdb,cn=config
|
|
objectClass: olcOverlayConfig
|
|
objectClass: olcNssOvConfig
|
|
olcOverlay: {0}nssov
|
|
olcNssSsd: passwd ldap:///ou=users,dc=example,dc=com??one
|
|
olcNssMap: passwd uid accountName
|
|
olcNssPam: hostservice uid2dn
|
|
olcNssPamDefHost: defaulthost
|
|
olcNssPamMinUid: 500
|
|
olcNssPamMaxUid: 32000
|
|
olcNssPamSession: login
|
|
olcNssPamSession: sshd
|
|
.fi
|
|
.RE
|
|
.LP
|
|
which enables the passwd service, and uses the accountName attribute to
|
|
fetch what is usually retrieved from the uid attribute. It also enables
|
|
some PAM authorization controls, and specifies that the PAM
|
|
.B login
|
|
and
|
|
.B sshd
|
|
services should have their logins recorded.
|
|
.SH FILES
|
|
.TP
|
|
ETCDIR/slapd.conf
|
|
default slapd configuration file
|
|
.SH SEE ALSO
|
|
.BR slapd.conf (5),
|
|
.BR slapd\-config (5),
|
|
.BR slapd\-ldap (5),
|
|
.BR slapo\-pcache (5),
|
|
.BR slapo\-ppolicy (5),
|
|
.BR slapd (8).
|
|
.SH AUTHOR
|
|
Howard Chu, inspired by nss-ldapd by Arthur de Jong and pam_ldap by Luke Howard
|