|
NAMEslapo-nssov - NSS and PAM requests through a local Unix Domain socket SYNOPSISETCDIR/slapd.conf DESCRIPTIONThe nssov overlay to slapd(8) services NSS and PAM requests through a local Unix Domain socket. It uses the same IPC protocol as Arthur de Jong's nss-pam-ldapd. An extract of the nss-ldapd source is included along with the nssov source code to allow the overlay to communicate with the nss-pam-ldapd client stubs. Using a separate IPC protocol for NSS and PAM requests eliminates the libldap dependencies/clashes that the current pam_ldap/nss_ldap solutions all suffer from. Both the original nss-ldapd and this nssov solution are free from these library issues. Unlike nss-pam-ldapd, since this overlay executes inside slapd it allows for the possibility of sophisticated caching, without any of the weaknesses of nscd and other related caching solutions. E.g., a remote LDAP database can be accessed using back-ldap with proxy caching (see slapd-ldap(5) and slapo-pcache(5) ) to leverage back-ldap's connection pooling as well as pcache's persistent caching, to provide high performance and a measure of support for disconnected operation. Alternatively, cache considerations can be completely eliminated by running a regular database with syncrepl to maintain synchronization with a remote LDAP database. Another major benefit of nssov is that it allows all security policy to be administered centrally via LDAP, instead of having fragile rules scattered across multiple flat files. As such, there is no client-side configuration at all for the NSS/PAM stub libraries. (The stubs talk to the server via a Unix domain socket whose path is hardcoded to NSLCDPATH). As a side benefit, this can finally eliminate the perpetual confusion between OpenLDAP's ldap.conf file in ETCDIR/ldap.conf and the similarly named files typically used by pam_ldap and nss_ldap. User authentication is performed by internal simple Binds. User authorization leverages the slapd ACL engine, which offers much more power and flexibility than the simple group/hostname checks in the old pam_ldap code. To use this code, you will need the client-side stub library from nss-pam-ldapd. You can get it from: http://arthurdejong.org/nss-pam-ldapd You will not need the nslcd daemon; this overlay replaces that part. To disable building of the nslcd daemon in nss-pam-ldapd, add the --disable-nslcd option to the nss-pam-ldapd configure script. You should already be familiar with the RFC2307 and RFC2307bis schema to use this overlay. See the nss-pam-ldapd README for more information on the schema and which features are supported. You will also need to include the nis.schema in your slapd configuration for RFC2307 support. If you wish to use RFC2307bis you will need a slightly different schema. You will also need the ldapns.schema for PAM authorization management. You must select ldap in the appropriate services in /etc/nsswitch.conf in order for these NSS features to take effect. Likewise, you must enable pam_ldap for the authenticate, account, session, and password services in /etc/pam.conf or /etc/pam.d for these PAM features to take effect.
Setting the userhost, userservice, and usergroup options duplicates the original pam_ldap authorization behavior. The recommended approach is to use hostservice instead. In this case, ipHost entries must be created for all hosts being managed, and they must also have the authorizedServiceObject class to allow authorizedService attributes to be used. Also the NSS host SSD must be configured so that ipHost entries can be found. Authorization is checked by performing an LDAP Compare operation looking for the PAM service name in the authorizedService attribute. slapd ACLs should be set to grant or deny Compare privilege to the appropriate users or groups as desired. If the authz2dn option is set then authz-regexp mappings will be used to map the PAM username to an LDAP DN. The authentication DN will be of the form cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth
If no mapping is found for this authentication DN, then this mapping will be ignored. If the uid2dn option is set then the NSS passwd SSD will be used to map the PAM username to an LDAP DN. The passwd SSD must have already been configured for this mapping to succeed. If neither the authz2dn nor the uid2dn mapping succeeds, the module will return a PAM_USER_UNKNOWN failure code. If both options are set, the authz mapping is attempted first; if it succeeds the uid2dn mapping will be skipped. By default only the uid2dn option is set.
<generalizedTime> <host> <service>
<tty> (<ruser@rhost>)
The PAM functions support LDAP Password Policy as well. If the password policy overlay is in use (see slapo-ppolicy(5)), policy information (e.g. password expiration, password quality, etc.) may be returned to the PAM client as a result of authentication, account management, and password modification requests. The overlay also supports dynamic configuration in cn=config. An example of the config entry is
which enables the passwd service, and uses the accountName attribute to fetch what is usually retrieved from the uid attribute. It also enables some PAM authorization controls, and specifies that the PAM login and sshd services should have their logins recorded. FILES
SEE ALSOslapd.conf(5), slapd-config(5), slapd-ldap(5), slapo-pcache(5), slapo-ppolicy(5), slapd(8). AUTHORHoward Chu, inspired by nss-ldapd by Arthur de Jong and pam_ldap by Luke Howard Enhancements by Ted C. Cheng, Symas Corp.
|