1 This directory contains a slapd overlay, nssov, that handles
2 NSS lookup requests through a local Unix Domain socket. It uses the
3 same IPC protocol as Arthur de Jong's nss-ldapd, and a complete
4 copy of the nss-ldapd source is included here. It also handles
7 To use this code, you will need the client-side stuf library from
8 nss-pam-ldapd. You can get it from:
9 http://arthurdejong.org/nss-pam-ldapd
10 You will not need the nslcd daemon; this overlay replaces that part.
11 To disable building of the nslcd daemon in nss-pam-ldapd, add the
12 --disable-nslcd option to the nss-pam-ldapd configure script. You
13 should already be familiar with the RFC2307 and RFC2307bis schema
14 to use this overlay. See the nss-pam-ldapd README for more information
15 on the schema and which features are supported.
17 To use the overlay, add:
19 include <path to>nis.schema
21 moduleload <path to>nssov.so
28 to your slapd configuration file. (The nis.schema file contains
29 the original RFC2307 schema. Some modifications will be needed to
32 The overlay may be configured with Service Search Descriptors (SSDs)
33 for each NSS service that will be used. SSDs are configured using
35 nssov-ssd <service> <url>
37 where the <service> may be one of
50 and the <url> must be of the form
51 ldap:///[<basedn>][??[<scope>][?<filter>]]
53 The <basedn> will default to the first suffix of the current database.
54 The <scope> defaults to "subtree". The default <filter> depends on which
55 service is being used.
57 If the local database is actually a proxy to a foreign LDAP server, some
58 mapping of schema may be needed. Some simple attribute substitutions may
61 nssov-map <service> <orig> <new>
63 See the nss-ldapd/README for the original attribute names used in this code.
65 The overlay also supports dynamic configuration in cn=config. The layout
66 of the config entry is
68 dn: olcOverlay={0}nssov,ocDatabase={1}hdb,cn=config
69 objectClass: olcOverlayConfig
70 objectClass: olcNssOvConfig
72 olcNssSsd: passwd ldap:///ou=users,dc=example,dc=com??one
73 olcNssMap: passwd uid accountName
75 which enables the passwd service, and uses the accountName attribute to
76 fetch what is usually retrieved from the uid attribute.
78 PAM authentication, account management, session management, and password
79 management are supported.
81 Authentication is performed using Simple Binds. Since all operations occur
82 inside the slapd overlay, "fake" connections are used and they are
83 inherently secure. Two methods of mapping the PAM username to an LDAP DN
85 the mapping can be accomplished using slapd's authz-regexp facility. In
86 this case, a DN of the form
87 cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth
88 is fed into the regexp matcher. If a match is produced, the resulting DN
90 otherwise, the NSS passwd map is invoked (which means it must already
93 If no DN is found, the overlay returns PAM_USER_UNKNOWN. If the DN is
94 found, and Password Policy is supported, then the Bind will use the
95 Password Policy control and return expiration information to PAM.
97 Account management also uses two methods. These methods depend on the
98 ldapns.schema included with the nssov source.
99 The first is identical to the method used in PADL's pam_ldap module:
100 host and authorizedService attributes may be looked up in the user's entry,
101 and checked to determine access. Also a check may be performed to see if
102 the user is a member of a particular group. This method is pretty
103 inflexible and doesn't scale well to large networks of users, hosts,
105 The second uses slapd's ACL engine to check if the user has "compare"
106 privilege on an ipHost object whose name matches the current hostname, and
107 whose authorizedService attribute matches the current service name. This
108 method is preferred, since it allows authorization to be centralized in
109 the ipHost entries instead of scattered across the entire user population.
110 The ipHost entries must have an authorizedService attribute (e.g. by way
111 of the authorizedServiceObject auxiliary class) to use this method.
113 Session management: the overlay may optionally add a "logged in" attribute
114 to a user's entry for successful logins, and delete the corresponding
115 value upon logout. The attribute value is of the form
116 <generalizedTime> <host> <service> <tty> (<ruser@rhost>)
118 Password management: the overlay will perform a PasswordModify exop
119 in the server for the given user.
122 This work is part of OpenLDAP Software <http://www.openldap.org/>.
124 Copyright 1998-2013 The OpenLDAP Foundation.
125 Portions Copyright 2008-2009 Howard Chu, Symas Corp. All rights reserved.
127 Redistribution and use in source and binary forms, with or without
128 modification, are permitted only as authorized by the OpenLDAP
131 A copy of this license is available in the file LICENSE in the
132 top-level directory of the distribution or, alternatively, at
133 <http://www.OpenLDAP.org/license.html>.