1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
|
.TH SLAPO-NSSOV 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 1998-2022 The OpenLDAP Foundation, All Rights Reserved.
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
slapo-nssov \- NSS and PAM requests through a local Unix Domain socket
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The
.B nssov
overlay to
.BR slapd (8)
services NSS and PAM requests through a local Unix Domain socket.
It uses the same IPC protocol as Arthur de Jong's nss-pam-ldapd.
An extract of the nss-ldapd source is included along with the
nssov source code to allow the overlay to communicate with the
nss-pam-ldapd client stubs.
.LP
Using a separate IPC protocol for NSS and PAM requests eliminates the
libldap dependencies/clashes that the current pam_ldap/nss_ldap solutions
all suffer from. Both the original nss-ldapd and this nssov solution
are free from these library issues.
.LP
Unlike nss-pam-ldapd, since this overlay executes inside slapd it allows for
the possibility of sophisticated caching, without any of the weaknesses of
nscd and other related caching solutions. E.g., a remote LDAP database can
be accessed using back-ldap with proxy caching (see
.BR slapd-ldap (5)
and
.BR slapo-pcache (5)
) to leverage back-ldap's
connection pooling as well as pcache's persistent caching, to provide
high performance and a measure of support for disconnected operation.
Alternatively, cache considerations can be completely eliminated by running
a regular database with syncrepl to maintain synchronization with a remote
LDAP database.
.LP
Another major benefit of nssov is that it allows all security policy to be
administered centrally via LDAP, instead of having fragile rules scattered
across multiple flat files. As such, there is no client-side configuration at
all for the NSS/PAM stub libraries. (The stubs talk to the server via a Unix
domain socket whose path is hardcoded to NSLCDPATH). As a side benefit,
this can finally eliminate the perpetual confusion between OpenLDAP's
ldap.conf file in ETCDIR/ldap.conf and the similarly named files typically
used by pam_ldap and nss_ldap.
.LP
User authentication is performed by internal simple Binds. User authorization
leverages the slapd ACL engine, which offers much more power and flexibility
than the simple group/hostname checks in the old pam_ldap code.
.LP
To use this code, you will need the client-side stub library from
nss-pam-ldapd. You can get it from:
http://arthurdejong.org/nss-pam-ldapd
You will not need the nslcd daemon; this overlay replaces that part.
To disable building of the nslcd daemon in nss-pam-ldapd, add the
--disable-nslcd option to the nss-pam-ldapd configure script. You
should already be familiar with the RFC2307 and RFC2307bis schema
to use this overlay. See the nss-pam-ldapd README for more information
on the schema and which features are supported.
.LP
You will also need to include the nis.schema in your slapd configuration
for RFC2307 support. If you wish to use RFC2307bis you will need a slightly
different schema. You will also need the ldapns.schema for PAM authorization
management.
.LP
You must select
.B ldap
in the appropriate services in
.I /etc/nsswitch.conf
in order for these NSS features to take effect. Likewise, you must
enable
.B pam_ldap
for the authenticate, account, session, and password services in
.I /etc/pam.conf
or
.I /etc/pam.d
for these PAM features to take effect.
.TP
.B overlay nssov
This directive adds the nssov overlay to the current backend.
.TP
.B nssov-ssd <service> <url>
This directive configures a Service Search Descriptor (SSD) for each NSS
service that will be used. The <service> may be one of
.RS
.nf
aliases
ethers
group
hosts
netgroup
networks
passwd
protocols
rpc
services
shadow
.fi
.RE
and the <url> must be of the form
.RS
.TP
.B ldap:///[<basedn>][??[<scope>][?<filter>]]
.RE
The
.B <basedn>
will default to the first suffix of the current database.
The
.B <scope>
defaults to "subtree". The default
.B <filter>
depends on which service is being used.
.TP
.B nssov-map <service> <orig> <new>
If the local database is actually a proxy to a foreign LDAP server, some
mapping of schema may be needed. This directive allows some simple attribute
substitutions to be performed. See the
.B nss-ldapd/README
for the original attribute names used in this code.
.TP
.B nssov-pam <option> [...]
This directive determines a number of PAM behaviors. Multiple options may
be used at once, and available levels are:
.RS
.RS
.PD 0
.TP
.B userhost
check host attribute in user entry for authorization
.TP
.B userservice
check authorizedService attribute in user entry for authorization
.TP
.B usergroup
check that user is a member of specific group for authorization
.TP
.B hostservice
check authorizedService attribute in host entry for authorization
.TP
.B authz2dn
use authz-regexp mapping to map uid to LDAP DN
.TP
.B uid2dn
use NSS passwd SSD to map uid to LDAP DN
.PD
.RE
Setting the
.BR userhost ,
.BR userservice ,
and
.B usergroup
options duplicates the original pam_ldap authorization behavior.
The recommended approach is to use
.B hostservice
instead. In this case, ipHost entries must be created for all hosts
being managed, and they must also have the authorizedServiceObject
class to allow authorizedService attributes to be used. Also the
NSS host SSD must be configured so that ipHost entries can be found.
Authorization is checked by performing an LDAP Compare operation
looking for the PAM service name in the authorizedService attribute.
.B slapd
ACLs should be set to grant or deny
.B Compare
privilege to the appropriate users or groups as desired.
If the
.B authz2dn
option is set then authz-regexp mappings will be used to map the
PAM username to an LDAP DN. The authentication DN will be of the
form
.RS
.B cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth
.RE
If no mapping is found for this authentication DN, then this
mapping will be ignored.
If the
.B uid2dn
option is set then the NSS passwd SSD will be used to map the
PAM username to an LDAP DN. The passwd SSD must have already been
configured for this mapping to succeed.
If neither the authz2dn nor the uid2dn mapping succeeds, the module
will return a PAM_USER_UNKNOWN failure code. If both options are set,
the authz mapping is attempted first; if it succeeds the uid2dn mapping
will be skipped.
By default only the
.B uid2dn
option is set.
.RE
.TP
.B nssov-pam-defhost <hostname>
Specify a default hostname to check if an ipHost entry for the current
hostname cannot be found. This setting is only relevant if the
.B hostservice
option has been set.
.TP
.B nssov-pam-group-dn <DN>
Specify the DN of an LDAP group to check for authorization. The LDAP user
must be a member of this group for the login to be allowed. There is no
default value. This setting is only relevant if the
.B usergroup
option has been set.
.TP
.B nssov-pam-group-ad <attribute>
Specify the attribute to use for group membership checks.
There is no default value. This setting is only relevant if the
.B usergroup
option has been set.
.TP
.B nssov-pam-min-uid <integer>
Specify a minimum uid that is allowed to login. Users with a uidNumber
lower than this value will be denied access. The default is zero, which
disables this setting.
.TP
.B nssov-pam-max-uid <integer>
Specify a maximum uid that is allowed to login. Users with a uidNumber
higher than this value will be denied access. The default is zero, which
disables this setting.
.TP
.B nssov-pam-template-ad <attribute>
Specify an attribute to check in a user's entry for a template login name.
The template login feature is used by FreeBSD's PAM framework. It can be
viewed as a form of proxying, where a user can authenticate with one
username/password pair, but is assigned the identity and credentials of
the template user. This setting is disabled by default.
.TP
.B nssov-pam-template <name>
Specify a default username to be used if no template attribute is found
in the user's entry. The
.B nssov-pam-template-ad
directive must be configured for this setting to have any effect.
.TP
.B nssov-pam-session <service>
Specify a PAM service name whose sessions will be recorded. For the
configured services, logins will be recorded in the
.TP
.B nssov-pam-password-prohibit-message <message>
Disable password change service and return the specified message to
users.
.TP
.B nssov-pam-pwdmgr-dn <dn>
Specify the dn of the password manager.
.TP
.B nssov-pam-pwdmgr-pwd <pwd>
Specify the pwd of the password manager.
.TP
.B loginStatus
operational attribute of the user's entry. The attribute's values are
of the form
.RS
.RS
.B <generalizedTime> <host> <service> <tty> (<ruser@rhost>)
.RE
.RE
Upon logout the corresponding value will be deleted. This feature allows
a single LDAP Search to be used to check which users are logged in across
all the hosts of a network. The rootdn of the database is used to perform
the updates of the loginStatus attribute, so a rootdn must already be
configured for this feature to work. By default no services are configured.
.LP
The PAM functions support LDAP Password Policy as well. If the password
policy overlay is in use (see
.BR slapo-ppolicy (5)),
policy
information (e.g. password expiration, password quality, etc.)
may be returned to the PAM client as a result of authentication,
account management, and password modification requests.
The overlay also supports dynamic configuration in cn=config. An example
of the config entry is
.LP
.RS
.nf
dn: olcOverlay={0}nssov,ocDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcNssOvConfig
olcOverlay: {0}nssov
olcNssSsd: passwd ldap:///ou=users,dc=example,dc=com??one
olcNssMap: passwd uid accountName
olcNssPam: hostservice uid2dn
olcNssPamDefHost: defaulthost
olcNssPamMinUid: 500
olcNssPamMaxUid: 32000
olcNssPamSession: login
olcNssPamSession: sshd
.fi
.RE
.LP
which enables the passwd service, and uses the accountName attribute to
fetch what is usually retrieved from the uid attribute. It also enables
some PAM authorization controls, and specifies that the PAM
.B login
and
.B sshd
services should have their logins recorded.
.SH FILES
.TP
ETCDIR/slapd.conf
default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-config (5),
.BR slapd\-ldap (5),
.BR slapo\-pcache (5),
.BR slapo\-ppolicy (5),
.BR slapd (8).
.SH AUTHOR
Howard Chu, inspired by nss-ldapd by Arthur de Jong and pam_ldap by Luke Howard
Enhancements by Ted C. Cheng, Symas Corp.
|
