1
.TH SLAPO-NSSOV 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2
.\" Copyright 1998-2009 The OpenLDAP Foundation, All Rights Reserved.
3
.\" Copying restrictions apply. See the COPYRIGHT file.
4
.\" $OpenLDAP: pkg/ldap/contrib/slapd-modules/nssov/slapo-nssov.5,v 1.4.2.3 2009/06/04 18:15:49 quanah Exp $
6
slapo-nssov \- NSS and PAM requests through a local Unix Domain socket
14
services NSS and PAM requests through a local Unix Domain socket.
15
It uses the same IPC protocol as Arthur de Jong's nss-ldapd, and
16
a complete copy of the nss-ldapd source is included along with the
19
Using a separate IPC protocol for NSS and PAM requests eliminates the
20
libldap dependencies/clashes that the current pam_ldap/nss_ldap solutions
21
all suffer from. Both the original nss-ldapd and this nssov solution
22
are free from these library issues.
24
Unlike nss-ldapd, since this overlay executes inside slapd it allows for
25
the possibility of sophisticated caching, without any of the weaknesses of
26
nscd and other related caching solutions. E.g., a remote LDAP database can
27
be accessed using back-ldap with proxy caching (see
31
) to leverage back-ldap's
32
connection pooling as well as pcache's persistent caching, to provide
33
high performance and a measure of support for disconnected operation.
34
Alternatively, cache considerations can be completely eliminated by running
35
a regular database with syncrepl to maintain synchronization with a remote
38
Another major benefit of nssov is that it allows all security policy to be
39
administered centrally via LDAP, instead of having fragile rules scattered
40
across multiple flat files. As such, there is no client-side configuration at
41
all for the NSS/PAM stub libraries. (The stubs talk to the server via a Unix
42
domain socket whose path is hardcoded to /var/run/nslcd/). As a side benefit,
43
this can finally eliminate the perpetual confusion between OpenLDAP's
44
ldap.conf file in ETCDIR/ldap.conf and the similarly named files typically
45
used by pam_ldap and nss_ldap.
47
User authentication is performed by internal simple Binds. User authorization
48
leverages the slapd ACL engine, which offers much more power and flexibility
49
than the simple group/hostname checks in the old pam_ldap code.
51
To use this code, you will need the client-side stub library from
52
nss-ldapd (which resides in nss-ldapd/nss). You will not need the
53
nslcd daemon; this overlay replaces that part. You should already
54
be familiar with the [RFC2307] and [RFC2307bis] schema to use this
57
for more information on the schema and which features are supported.
59
You will also need to include the nis.schema in your slapd configuration
60
for RFC2307 support. If you wish to use RFC2307bis you will need a slightly
61
different schema. You will also need the ldapns.schema for PAM authorization
66
in the appropriate services in
68
in order for these NSS features to take effect. Likewise, you must
71
for the authenticate, account, session, and password services in
75
for these PAM features to take effect.
79
This directive adds the nssov overlay to the current backend.
81
.B nssov-ssd <service> <url>
82
This directive configures a Service Search Descriptor (SSD) for each NSS
83
service that will be used. The <service> may be one of
99
and the <url> must be of the form
102
.B ldap:///[<basedn>][??[<scope>][?<filter>]]
106
will default to the first suffix of the current database.
109
defaults to "subtree". The default
111
depends on which service is being used.
113
.B nssov-map <service> <orig> <new>
114
If the local database is actually a proxy to a foreign LDAP server, some
115
mapping of schema may be needed. This directive allows some simple attribute
116
substitutions to be performed. See the
118
for the original attribute names used in this code.
120
.B nssov-pam <option> [...]
121
This directive determines a number of PAM behaviors. Multiple options may
122
be used at once, and available levels are:
128
check host attribute in user entry for authorization
131
check authorizedService attribute in user entry for authorization
134
check that user is a member of specific group for authorization
137
check authorizedService attribute in host entry for authorization
140
use authz-regexp mapping to map uid to LDAP DN
143
use NSS passwd SSD to map uid to LDAP DN
152
options duplicates the original pam_ldap authorization behavior.
154
The recommended approach is to use
156
instead. In this case, ipHost entries must be created for all hosts
157
being managed, and they must also have the authorizedServiceObject
158
class to allow authorizedService attributes to be used. Also the
159
NSS host SSD must be configured so that ipHost entries can be found.
160
Authorization is checked by performing an LDAP Compare operation
161
looking for the PAM service name in the authorizedService attribute.
163
ACLs should be set to grant or deny
165
privilege to the appropriate users or groups as desired.
169
option is set then authz-regexp mappings will be used to map the
170
PAM username to an LDAP DN. The authentication DN will be of the
173
.B cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth
176
If no mapping is found for this authentication DN, then this
177
mapping will be ignored.
181
option is set then the NSS passwd SSD will be used to map the
182
PAM username to an LDAP DN. The passwd SSD must have already been
183
configured for this mapping to succeed.
185
If neither the authz2dn nor the uid2dn mapping succeeds, the module
186
will return a PAM_USER_UNKNOWN failure code. If both options are set,
187
the authz mapping is attempted first; if it succeeds the uid2dn mapping
195
.B nssov-pam-defhost <hostname>
196
Specify a default hostname to check if an ipHost entry for the current
197
hostname cannot be found. This setting is only relevant if the
201
.B nssov-pam-group-dn <DN>
202
Specify the DN of an LDAP group to check for authorization. The LDAP user
203
must be a member of this group for the login to be allowed. There is no
204
default value. This setting is only relevant if the
208
.B nssov-pam-group-ad <attribute>
209
Specify the attribute to use for group membership checks.
210
There is no default value. This setting is only relevant if the
214
.B nssov-pam-minuid <integer>
215
Specify a minimum uid that is allowed to login. Users with a uidNumber
216
lower than this value will be denied access. The default is zero, which
217
disables this setting.
219
.B nssov-pam-maxuid <integer>
220
Specify a maximum uid that is allowed to login. Users with a uidNumber
221
higher than this value will be denied access. The default is zero, which
222
disables this setting.
224
.B nssov-pam-template-ad <attribute>
225
Specify an attribute to check in a user's entry for a template login name.
226
The template login feature is used by FreeBSD's PAM framework. It can be
227
viewed as a form of proxying, where a user can authenticate with one
228
username/password pair, but is assigned the identity and credentials of
229
the template user. This setting is disabled by default.
231
.B nssov-pam-template <name>
232
Specify a default username to be used if no template attribute is found
233
in the user's entry. The
234
.B nssov-pam-template-ad
235
directive must be configured for this setting to have any effect.
237
.B nssov-pam-session <service>
238
Specify a PAM service name whose sessions will be recorded. For the
239
configured services, logins will be recorded in the
241
operational attribute of the user's entry. The attribute's values are
245
.B <generalizedTime> <host> <service> <tty> (<ruser@rhost>)
248
Upon logout the corresponding value will be deleted. This feature allows
249
a single LDAP Search to be used to check which users are logged in across
250
all the hosts of a network. The rootdn of the database is used to perform
251
the updates of the loginStatus attribute, so a rootdn must already be
252
configured for this feature to work. By default no services are configured.
254
The PAM functions support LDAP Password Policy as well. If the password
255
policy overlay is in use (see
256
.BR slapo-ppolicy (5)),
258
information (e.g. password expiration, password quality, etc.)
259
may be returned to the PAM client as a result of authentication,
260
account management, and password modification requests.
262
The overlay also supports dynamic configuration in cn=config. An example
263
of the config entry is
267
dn: olcOverlay={0}nssov,ocDatabase={1}hdb,cn=config
268
objectClass: olcOverlayConfig
269
objectClass: olcNssOvConfig
271
olcNssSsd: passwd ldap:///ou=users,dc=example,dc=com??one
272
olcNssMap: passwd uid accountName
273
olcNssPam: hostservice uid2dn
274
olcNssPamDefHost: defaulthost
276
olcNssPamMaxUid: 32000
277
olcNssPamSession: login
278
olcNssPamSession: sshd
282
which enables the passwd service, and uses the accountName attribute to
283
fetch what is usually retrieved from the uid attribute. It also enables
284
some PAM authorization controls, and specifies that the PAM
288
services should have their logins recorded.
292
default slapd configuration file
295
.BR slapd\-config (5),
297
.BR slapo\-pcache (5),
298
.BR slapo\-ppolicy (5),
301
Howard Chu, inspired by nss-ldapd by Arthur de Jong and pam_ldap by Luke Howard