1This directory contains a slapd overlay, nssov, that handles 2NSS lookup requests through a local Unix Domain socket. It uses the 3same IPC protocol as Arthur de Jong's nss-ldapd, and a complete 4copy of the nss-ldapd source is included here. It also handles 5PAM requests. 6 7To use this code, you will need the client-side stub library from 8nss-ldapd (which resides in nss-ldapd/nss). You will not need the 9nslcd daemon; this overlay replaces that part. You should already 10be familiar with the RFC2307 and RFC2307bis schema to use this 11overlay. See the nss-ldapd/README for more information on the 12schema and which features are supported. 13 14To use the overlay, add: 15 16 include <path to>nis.schema 17 18 moduleload <path to>nssov.so 19 ... 20 21 database hdb 22 ... 23 overlay nssov 24 25to your slapd configuration file. (The nis.schema file contains 26the original RFC2307 schema. Some modifications will be needed to 27use RFC2307bis.) 28 29The overlay may be configured with Service Search Descriptors (SSDs) 30for each NSS service that will be used. SSDs are configured using 31 32 nssov-ssd <service> <url> 33 34where the <service> may be one of 35 aliases 36 ethers 37 group 38 hosts 39 netgroup 40 networks 41 passwd 42 protocols 43 rpc 44 services 45 shadow 46 47and the <url> must be of the form 48 ldap:///[<basedn>][??[<scope>][?<filter>]] 49 50The <basedn> will default to the first suffix of the current database. 51The <scope> defaults to "subtree". The default <filter> depends on which 52service is being used. 53 54If the local database is actually a proxy to a foreign LDAP server, some 55mapping of schema may be needed. Some simple attribute substitutions may 56be performed using 57 58 nssov-map <service> <orig> <new> 59 60See the nss-ldapd/README for the original attribute names used in this code. 61 62The overlay also supports dynamic configuration in cn=config. The layout 63of the config entry is 64 65 dn: olcOverlay={0}nssov,ocDatabase={1}hdb,cn=config 66 objectClass: olcOverlayConfig 67 objectClass: olcNssOvConfig 68 olcOverlay: {0}nssov 69 olcNssSsd: passwd ldap:///ou=users,dc=example,dc=com??one 70 olcNssMap: passwd uid accountName 71 72which enables the passwd service, and uses the accountName attribute to 73fetch what is usually retrieved from the uid attribute. 74 75PAM authentication, account management, session management, and password 76management are supported. 77 78Authentication is performed using Simple Binds. Since all operations occur 79inside the slapd overlay, "fake" connections are used and they are 80inherently secure. Two methods of mapping the PAM username to an LDAP DN 81are provided: 82 the mapping can be accomplished using slapd's authz-regexp facility. In 83this case, a DN of the form 84 cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth 85is fed into the regexp matcher. If a match is produced, the resulting DN 86is used. 87 otherwise, the NSS passwd map is invoked (which means it must already 88be configured). 89 90If no DN is found, the overlay returns PAM_USER_UNKNOWN. If the DN is 91found, and Password Policy is supported, then the Bind will use the 92Password Policy control and return expiration information to PAM. 93 94Account management also uses two methods. These methods depend on the 95ldapns.schema included with the nssov source. 96 The first is identical to the method used in PADL's pam_ldap module: 97host and authorizedService attributes may be looked up in the user's entry, 98and checked to determine access. Also a check may be performed to see if 99the user is a member of a particular group. This method is pretty 100inflexible and doesn't scale well to large networks of users, hosts, 101and services. 102 The second uses slapd's ACL engine to check if the user has "compare" 103privilege on an ipHost object whose name matches the current hostname, and 104whose authorizedService attribute matches the current service name. This 105method is preferred, since it allows authorization to be centralized in 106the ipHost entries instead of scattered across the entire user population. 107The ipHost entries must have an authorizedService attribute (e.g. by way 108of the authorizedServiceObject auxiliary class) to use this method. 109 110Session management: the overlay may optionally add a "logged in" attribute 111to a user's entry for successful logins, and delete the corresponding 112value upon logout. The attribute value is of the form 113 <generalizedTime> <host> <service> <tty> (<ruser@rhost>) 114 115Password management: the overlay will perform a PasswordModify exop 116in the server for the given user. 117 118--- 119This work is part of OpenLDAP Software <http://www.openldap.org/>. 120 121Copyright 1998-2009 The OpenLDAP Foundation. 122Portions Copyright 2008-2009 Howard Chu, Symas Corp. All rights reserved. 123 124Redistribution and use in source and binary forms, with or without 125modification, are permitted only as authorized by the OpenLDAP 126Public License. 127 128A copy of this license is available in the file LICENSE in the 129top-level directory of the distribution or, alternatively, at 130<http://www.OpenLDAP.org/license.html>. 131 132