|
Packit |
6bd9ab |
nss-pam-ldapd - NSS and PAM libraries for name lookups and authentication
|
|
Packit |
6bd9ab |
using LDAP
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
nss-pam-ldapd started as nss-ldapd which was a fork from nss_ldap which was
|
|
Packit |
6bd9ab |
originally written by Luke Howard of PADL Software Pty Ltd.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
In 2006 Arthur de Jong of West Consuling forked the library to split it
|
|
Packit |
6bd9ab |
into a thin NSS part and a server part. Most of the code was rewritten.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The software was renamed to nss-pam-ldapd when PAM code contributed by
|
|
Packit |
6bd9ab |
Howard Chu for the OpenLDAP nssov module was integrated. Solaris
|
|
Packit |
6bd9ab |
compatibility was developed by Ted C. Cheng of Symas Corporation.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
https://arthurdejong.org/nss-pam-ldapd/
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Copyright (C) 1997-2006 Luke Howard
|
|
Packit |
6bd9ab |
Copyright (C) 2006-2007 West Consulting
|
|
Packit |
6bd9ab |
Copyright (C) 2006-2018 Arthur de Jong
|
|
Packit |
6bd9ab |
Copyright (C) 2009 Howard Chu
|
|
Packit |
6bd9ab |
Copyright (C) 2010 Symas Corporation
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
This library is free software; you can redistribute it and/or
|
|
Packit |
6bd9ab |
modify it under the terms of the GNU Lesser General Public
|
|
Packit |
6bd9ab |
License as published by the Free Software Foundation; either
|
|
Packit |
6bd9ab |
version 2.1 of the License, or (at your option) any later version.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
This library is distributed in the hope that it will be useful,
|
|
Packit |
6bd9ab |
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
6bd9ab |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit |
6bd9ab |
Lesser General Public License for more details.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
You should have received a copy of the GNU Lesser General Public
|
|
Packit |
6bd9ab |
License along with this library; if not, write to the Free Software
|
|
Packit |
6bd9ab |
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
Packit |
6bd9ab |
02110-1301 USA
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
INTRODUCTION
|
|
Packit |
6bd9ab |
============
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
This is the nss-pam-ldapd library which consists of an NSS module to do name
|
|
Packit |
6bd9ab |
lookups to an LDAP directory server and a PAM module to do authentication to
|
|
Packit |
6bd9ab |
an LDAP server. The NSS part of this library was forked from nss_ldap as
|
|
Packit |
6bd9ab |
provided by Luke Howard of PADL Software Pty Ltd. The PAM module was mostly
|
|
Packit |
6bd9ab |
provided by Howard Chu of the OpenLDAP project.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The NSS library allows distributing account, group, host and other
|
|
Packit |
6bd9ab |
configuration information from a central LDAP server. Because LDAP is a
|
|
Packit |
6bd9ab |
hierarchical directory service, information can be organised in a manner which
|
|
Packit |
6bd9ab |
reflects an organisational structure. This contrasts with the flat, single
|
|
Packit |
6bd9ab |
domain policy of NIS. LDAP has many of the advantages of NIS+ (security and
|
|
Packit |
6bd9ab |
scalability) without the complexity. The system will work alongside your
|
|
Packit |
6bd9ab |
existing NIS, NIS+, DNS and flat file name services.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The PAM library (module) can be used to perform authentication based on
|
|
Packit |
6bd9ab |
information inside the LDAP directory.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Both libraries consist of a thin NSS or PAM part that proxies the requests to
|
|
Packit |
6bd9ab |
a local daemon (nslcd) that handles the LDAP lookups. This simplifies the
|
|
Packit |
6bd9ab |
software architecture and fixes some scalability and locking problems in the
|
|
Packit |
6bd9ab |
original design of nss_ldap.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
It is also possible to use the thin NSS and PAM modules together with the
|
|
Packit |
6bd9ab |
nssov overlay in the OpenLDAP server (slapd).
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The three parts (NSS module, PAM module, and nslcd server) can be built
|
|
Packit |
6bd9ab |
separately and are not strongly tied together. This means that for instance
|
|
Packit |
6bd9ab |
you can still use pam_ldap and use the NSS module from nss-pam-ldapd or use an
|
|
Packit |
6bd9ab |
alternative implementation of nslcd (for instance with the nssov slapd overlay
|
|
Packit |
6bd9ab |
or the pynslcd implementation).
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
improvements over nss_ldap
|
|
Packit |
6bd9ab |
--------------------------
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The fork from nss_ldap was done to implement some major design changes to fix
|
|
Packit |
6bd9ab |
some structural problems in the library.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
One of those problems were host name lookups through LDAP which could cause
|
|
Packit |
6bd9ab |
deadlocks. Another is that nss_ldap loaded an SSL library into executables
|
|
Packit |
6bd9ab |
that may not be designed to load it (e.g. problem with suid applications).
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
A number of refactoring steps were done to simplify the code and improve
|
|
Packit |
6bd9ab |
maintainability. Legacy code was removed and support for non-Linux operating
|
|
Packit |
6bd9ab |
systems was initially removed to make the code more readable. Portability was
|
|
Packit |
6bd9ab |
re-added using compatibility wrappers.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The most practical improvements over nss_ldap are:
|
|
Packit |
6bd9ab |
- the LDAP library is not loaded for every process doing LDAP lookups
|
|
Packit |
6bd9ab |
- the number of connections to the LDAP server is limited, because not every
|
|
Packit |
6bd9ab |
process will open its own connection
|
|
Packit |
6bd9ab |
- hostname lookups should now be deadlock-free because the LDAP server name is
|
|
Packit |
6bd9ab |
no longer looked up using the ldap method
|
|
Packit |
6bd9ab |
- avoid problems with TLS connections in suid binaries and other process-local
|
|
Packit |
6bd9ab |
configuration
|
|
Packit |
6bd9ab |
- it is easier to debug because logging in nslcd can be enabled without
|
|
Packit |
6bd9ab |
the need to restart all processes doing name lookups
|
|
Packit |
6bd9ab |
- unavailability timeouts are global instead of per-process
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
comparison to pam_ldap
|
|
Packit |
6bd9ab |
----------------------
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The PAM module that is currently implemented contains functionality for
|
|
Packit |
6bd9ab |
authentication, account management, password management and session
|
|
Packit |
6bd9ab |
management. The nslcd daemon currently implements authentication,
|
|
Packit |
6bd9ab |
authorisation and password modification. The OpenLDAP nssov overlay also
|
|
Packit |
6bd9ab |
implements session functionality.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
supported C libraries (for NSS module)
|
|
Packit |
6bd9ab |
--------------------------------------
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
This library currently supports the GNU C Library, the Solaris C library and
|
|
Packit |
6bd9ab |
the FreeBSD C library.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
supported name databases
|
|
Packit |
6bd9ab |
------------------------
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Currently the following name databases are supported:
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
aliases, ethers, group, hosts, netgroup, networks, passwd, protocols, rpc,
|
|
Packit |
6bd9ab |
services and shadow
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
When using IPv6 ipHostNumber attributes, the address in LDAP must be in the
|
|
Packit |
6bd9ab |
preferred form as defined in section 2.2 of RFC1884, specifically the format
|
|
Packit |
6bd9ab |
as returned by inet_ntop(3). All leading zeros should be omitted and the
|
|
Packit |
6bd9ab |
longest range of zeroes should be replaced with :: (e.g.
|
|
Packit |
6bd9ab |
fe80::218:bff:fe55:c9f).
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
MAC addresses in the macAddress attribute should be in maximal, colon
|
|
Packit |
6bd9ab |
separated hex notation (e.g. 00:00:92:90:ee:e2).
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
automounter map lookups (which are also defined in /etc/nsswitch.conf) are
|
|
Packit |
6bd9ab |
currently not supported because the NSS interface is not used for these. The
|
|
Packit |
6bd9ab |
common autofs implementation (on GNU/Linux) currently uses its own method for
|
|
Packit |
6bd9ab |
getting the maps from LDAP.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Although mail aliases are exposed through NSS, most mail servers parse
|
|
Packit |
6bd9ab |
/etc/aliases themselves (bypassing NSS) and getting aliases from LDAP requires
|
|
Packit |
6bd9ab |
some configuration in the mail server.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The publickey, bootparams and netmasks are currently unsupported. Some
|
|
Packit |
6bd9ab |
investigation should be done if these are needed for anything, which
|
|
Packit |
6bd9ab |
interfaces should be exported and how the LDAP schema part should look like.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
supported PAM implementation
|
|
Packit |
6bd9ab |
----------------------------
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The PAM module is currently only regularly tested on Linux PAM but other PAM
|
|
Packit |
6bd9ab |
implementations should also work.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
supported LDAP libraries
|
|
Packit |
6bd9ab |
------------------------
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The current version of nss-pam-ldapd has been developed with OpenLDAP 2.4 but
|
|
Packit |
6bd9ab |
other LDAP libraries and older versions of OpenLDAP may also work.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
unsupported features
|
|
Packit |
6bd9ab |
--------------------
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Since nss-pam-ldapd was forked from nss_ldap most of the features that came
|
|
Packit |
6bd9ab |
with nss_ldap are available. The most important differences:
|
|
Packit |
6bd9ab |
- the configuration file formats are not fully compatible
|
|
Packit |
6bd9ab |
- rootbinddn/rootbindpw support is removed and is not likely to return
|
|
Packit |
6bd9ab |
(the rootpwmoddn and rootpwmodpw work differently but accomplish the same
|
|
Packit |
6bd9ab |
thing)
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
For the PAM module some functionality is missing. Comparing it to pam_ldap:
|
|
Packit |
6bd9ab |
- only BIND authentication is supported
|
|
Packit |
6bd9ab |
- only LDAP password modify EXOP is supported as password changing mechanism
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Some things work a little different in nss-pam-ldapd. For instance the
|
|
Packit |
6bd9ab |
attribute defaults and overrides of nss_ldap are implemented with mapping
|
|
Packit |
6bd9ab |
expressions and pam_ldap's pam_check_*_attr options can be implemented with
|
|
Packit |
6bd9ab |
the pam_authz_search option.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
INSTALLATION
|
|
Packit |
6bd9ab |
============
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The nss-pam-ldapd library uses autoconf and automake for building. Installing
|
|
Packit |
6bd9ab |
nss-pam-ldapd should be as simple as:
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
% ./configure
|
|
Packit |
6bd9ab |
% make
|
|
Packit |
6bd9ab |
% make install
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
It is a good idea to first go through the options of configure by running:
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
% ./configure --help
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The last step (make install) should install the libnss_ldap.so.* and
|
|
Packit |
6bd9ab |
pam_ldap.so files and the daemon (nslcd). The proper location of the NSS and
|
|
Packit |
6bd9ab |
PAM modules are guessed. The boot process needs to be modified to start the
|
|
Packit |
6bd9ab |
nslcd daemon at the right time.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
It is recommended to create a dedicated user for the nslcd daemon. Configure
|
|
Packit |
6bd9ab |
this user in /etc/nslcd.conf using the uid and gid options.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
CONFIGURATION
|
|
Packit |
6bd9ab |
=============
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
After installation, the name service switch configuration file
|
|
Packit |
6bd9ab |
(/etc/nsswitch.conf) needs to be modified to do name lookups using the new
|
|
Packit |
6bd9ab |
module. This consist mostly of adding ldap in the list of lookup methods in
|
|
Packit |
6bd9ab |
the right place. See the nsswitch.conf(5) manual page for details on the
|
|
Packit |
6bd9ab |
format. As an example the file could look a little like this:
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
# the following contain normal unix user and group information
|
|
Packit |
6bd9ab |
passwd: files ldap
|
|
Packit |
6bd9ab |
group: files ldap
|
|
Packit |
6bd9ab |
shadow: files ldap
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
# hostname lookups through ldap before dns should work now
|
|
Packit |
6bd9ab |
hosts: files ldap dns
|
|
Packit |
6bd9ab |
networks: files ldap
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
# normal flat-file definitions
|
|
Packit |
6bd9ab |
protocols: files ldap
|
|
Packit |
6bd9ab |
services: files ldap
|
|
Packit |
6bd9ab |
ethers: files ldap
|
|
Packit |
6bd9ab |
rpc: files ldap
|
|
Packit |
6bd9ab |
netgroup: ldap
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
# whether alias lookups really use NSS depends on the mail server
|
|
Packit |
6bd9ab |
aliases: files ldap
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Configuring PAM differs a little from platform to platform but this is a
|
|
Packit |
6bd9ab |
minimal set-up for files under /etc/pam.d:
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
auth sufficient pam_unix.so
|
|
Packit |
6bd9ab |
auth sufficient pam_ldap.so use_first_pass
|
|
Packit |
6bd9ab |
auth required pam_deny.so
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
account required pam_unix.so
|
|
Packit |
6bd9ab |
account sufficient pam_ldap.so
|
|
Packit |
6bd9ab |
account required pam_permit.so
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
session required pam_unix.so
|
|
Packit |
6bd9ab |
session optional pam_ldap.so
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
password sufficient pam_unix.so nullok md5 shadow use_authtok
|
|
Packit |
6bd9ab |
password sufficient pam_ldap.so try_first_pass
|
|
Packit |
6bd9ab |
password required pam_deny.so
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Lastly, a configuration file for nslcd (by default /etc/nslcd.conf) needs to
|
|
Packit |
6bd9ab |
be made. See the shipped manual page for details on the format and options. It
|
|
Packit |
6bd9ab |
should at the very least contain something like:
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
# the location of LDAP server
|
|
Packit |
6bd9ab |
uri ldap://localhost/
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
# search base for all queries.
|
|
Packit |
6bd9ab |
base dc=example,dc=net
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
service discovery through DNS
|
|
Packit |
6bd9ab |
-----------------------------
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
nss-pam-ldapd supports looking up LDAP server names through DNS SRV records as
|
|
Packit |
6bd9ab |
specified in RFC 2782. However, Priority and Weight are not considered
|
|
Packit |
6bd9ab |
separately and a single list of servers in added as if they had been specified
|
|
Packit |
6bd9ab |
with uri options in the configuration file.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
To use this feature specify DNS as an uri in the configuration file and
|
|
Packit |
6bd9ab |
include something like the following in your zone:
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
_ldap._tcp SRV 10 0 389 ldapserver
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
LDAP SCHEMA
|
|
Packit |
6bd9ab |
===========
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
nss-pam-ldapd supports a wide range of possible LDAP schema configurations and
|
|
Packit |
6bd9ab |
it can be customized heavily. The LDAP schema used is described in RFC 2307.
|
|
Packit |
6bd9ab |
Groups using the member attribute that hold distinguished names (RFC 2307bis)
|
|
Packit |
6bd9ab |
are also supported (but see group membership below for more information).
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
default attributes
|
|
Packit |
6bd9ab |
------------------
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
This paragraph describes the mapping between the NSS lookups and the LDAP
|
|
Packit |
6bd9ab |
database. The mapping may be modified by changing the nslcd.conf configuration
|
|
Packit |
6bd9ab |
file. See the nslcd.conf(5) manual page for details.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
aliases (objectClass=nisMailAlias)
|
|
Packit |
6bd9ab |
cn - alias name
|
|
Packit |
6bd9ab |
rfc822MailMember - members of the alias (recipients)
|
|
Packit |
6bd9ab |
ethers (objectClass=ieee802Device)
|
|
Packit |
6bd9ab |
cn - host name
|
|
Packit |
6bd9ab |
macAddress - ethernet address
|
|
Packit |
6bd9ab |
group (objectClass=posixGroup)
|
|
Packit |
6bd9ab |
cn - group name
|
|
Packit |
6bd9ab |
userPassword - password (by default mapped to "*")
|
|
Packit |
6bd9ab |
gidNumber - gid
|
|
Packit |
6bd9ab |
memberUid - members (user names)
|
|
Packit |
6bd9ab |
member - members (DN values)
|
|
Packit |
6bd9ab |
hosts (objectClass=ipHost)
|
|
Packit |
6bd9ab |
cn - host name (and aliases)
|
|
Packit |
6bd9ab |
ipHostNumber - addresses
|
|
Packit |
6bd9ab |
netgroup (objectClass=nisNetgroup)
|
|
Packit |
6bd9ab |
cn - netgroup name
|
|
Packit |
6bd9ab |
nisNetgroupTriple - triplets describing netgroup entries
|
|
Packit |
6bd9ab |
memberNisNetgroup - reference to other netgroup
|
|
Packit |
6bd9ab |
networks (objectClass=ipNetwork)
|
|
Packit |
6bd9ab |
cn - network name
|
|
Packit |
6bd9ab |
ipNetworkNumber - network address
|
|
Packit |
6bd9ab |
passwd (objectClass=posixAccount)
|
|
Packit |
6bd9ab |
uid - account name
|
|
Packit |
6bd9ab |
userPassword - password (by default mapped to "*")
|
|
Packit |
6bd9ab |
uidNumber - uid
|
|
Packit |
6bd9ab |
gidNumber - gid
|
|
Packit |
6bd9ab |
gecos - gecos
|
|
Packit |
6bd9ab |
homeDirectory - home directory
|
|
Packit |
6bd9ab |
loginShell - shell
|
|
Packit |
6bd9ab |
protocols (objectClass=ipProtocol)
|
|
Packit |
6bd9ab |
cn - protocol name
|
|
Packit |
6bd9ab |
ipProtocolNumber - protocol number
|
|
Packit |
6bd9ab |
rpc (oncRpc)
|
|
Packit |
6bd9ab |
cn - rpc name
|
|
Packit |
6bd9ab |
oncRpcNumber - rpc number
|
|
Packit |
6bd9ab |
services (objectClass=ipService)
|
|
Packit |
6bd9ab |
cn - service name
|
|
Packit |
6bd9ab |
ipServicePort - service port
|
|
Packit |
6bd9ab |
ipServiceProtocol - service protocol
|
|
Packit |
6bd9ab |
shadow (objectClass=shadowAccount)
|
|
Packit |
6bd9ab |
uid - use name
|
|
Packit |
6bd9ab |
userPassword - password
|
|
Packit |
6bd9ab |
shadowLastChange - date of last password change
|
|
Packit |
6bd9ab |
shadowMin - days before password may be changed again
|
|
Packit |
6bd9ab |
shadowMax - days after which password must be changed
|
|
Packit |
6bd9ab |
shadowWarning - days before max password age to present a warning
|
|
Packit |
6bd9ab |
shadowInactive - days after max password age that account is disabled
|
|
Packit |
6bd9ab |
shadowExpire - account expiration date
|
|
Packit |
6bd9ab |
shadowFlag - reserved field
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
using Microsoft Active Directory
|
|
Packit |
6bd9ab |
--------------------------------
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
When using Microsoft Active Directory server some changes need to be made to
|
|
Packit |
6bd9ab |
the nslcd.conf configuration file. The included sample configuration file has
|
|
Packit |
6bd9ab |
some commented out attribute mappings for such a set-up.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
group membership
|
|
Packit |
6bd9ab |
----------------
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Currently, two ways of specifying group membership are supported. The first,
|
|
Packit |
6bd9ab |
by using the memberUid attribute, is the simplest and by far the fastest
|
|
Packit |
6bd9ab |
(takes the least number of lookups). The attribute values are user names (same
|
|
Packit |
6bd9ab |
as the uid attribute for posixAccount entries) and are returned without
|
|
Packit |
6bd9ab |
further processing.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The second method is to use DN values in the member attribute (attribute names
|
|
Packit |
6bd9ab |
can be changed by using the attribute mapping options as described in the
|
|
Packit |
6bd9ab |
manual page). This is potentially a lot slower because in the worst case every
|
|
Packit |
6bd9ab |
DN has to be looked up in the LDAP server to find the proper value for the uid
|
|
Packit |
6bd9ab |
attribute.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
If the LDAP server supports the deref control (provided by the deref overlay
|
|
Packit |
6bd9ab |
in OpenLDAP) the DN to uid expansing is performed by the LDAP server.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
If the DN value already contains a uid value (e.g. uid=arthur, dc=example,
|
|
Packit |
6bd9ab |
dc=com) a further lookup is skipped and the uid value from the DN is used.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
For other DN values an extra lookup is performed to expand it to a uid. These
|
|
Packit |
6bd9ab |
lookups are cached and are configurable with the cache dn2uid configuration
|
|
Packit |
6bd9ab |
option.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The member attribute may also contain the DN of another group entry. These
|
|
Packit |
6bd9ab |
nested groups are parsed recursively depending on the nss_nested_groups
|
|
Packit |
6bd9ab |
option.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Currently, the memberOf attribute in posixAccount entries is unsupported.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
case sensitivity
|
|
Packit |
6bd9ab |
----------------
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Most values in NSS databases are considered case-sensitive (e.g. the user
|
|
Packit |
6bd9ab |
"Foo" is a different user from the user "foo"). Most values in an LDAP
|
|
Packit |
6bd9ab |
database are however considered case-insensitive. nss-pam-ldapd tries to solve
|
|
Packit |
6bd9ab |
this problem by adding an extra filtering layer to ensure that when looking
|
|
Packit |
6bd9ab |
for the user "foo" it will not consider a user "Foo" that is found in LDAP.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
For the group, netgroup, passwd, protocols, rpc, services and shadow maps the
|
|
Packit |
6bd9ab |
matches will be checked case-sensitively and for aliases, ethers, hosts and
|
|
Packit |
6bd9ab |
networks matches will be case-insensitive (this seems to be what Glibc is
|
|
Packit |
6bd9ab |
doing currently in flat files). Only searching for groups by user is done
|
|
Packit |
6bd9ab |
case-insensitive. In all cases the case-use in the LDAP directory is returned.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
This behaviour can be disabled with the ignorecase configuration option but
|
|
Packit |
6bd9ab |
may be a security risk.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Note that having entries that only differ in case is a bad idea and will
|
|
Packit |
6bd9ab |
likely get you in trouble. One example of such a problem is that the DN
|
|
Packit |
6bd9ab |
uid=test,dc=example,dc=com is considered the same in LDAP as
|
|
Packit |
6bd9ab |
uid=TEST,dc=example,dc=com.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
REPORTING BUGS
|
|
Packit |
6bd9ab |
==============
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
If you find any bugs or missing features please send email to
|
|
Packit |
6bd9ab |
nss-pam-ldapd-users@lists.arthurdejong.org
|
|
Packit |
6bd9ab |
If you are using a packaged version of nss-pam-ldapd you are encouraged to use
|
|
Packit |
6bd9ab |
the distributor's bug tracking system. Please include as much information as
|
|
Packit |
6bd9ab |
possible (platform, output of configure if compilation fails, error messages,
|
|
Packit |
6bd9ab |
output of nslcd -d, etc). Patches are more than welcome (also see the file
|
|
Packit |
6bd9ab |
HACKING).
|