1 .TH SLAPO-NSSOV 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2009 The OpenLDAP Foundation, All Rights Reserved.
3 .\" Copying restrictions apply. See the COPYRIGHT file.
6 slapo-nssov \- NSS lookup requests through a local Unix Domain socket
14 allows NSS lookup requests through a local Unix Domain socket.
15 It uses the same IPC protocol as Arthur de Jong's nss-ldapd, and
16 a complete copy of the nss-ldapd source is included here. It also
19 The main objective here was to eliminate the libldap dependencies/clashes that
20 the current pam_ldap/nss_ldap solutions all suffer from. A secondary objective
21 was to allow for the possibility of more sophisticated caching than nscd
22 provides. (E.g., run slapd back-ldap + pcache on each node.) Of course, you
23 can also completey eliminate cache staleness considerations by running a
24 regular database with syncrepl.
26 And of course, another major objective was to allow all security policy to be
27 administered centrally via LDAP, instead of having fragile rules scattered
28 across multiple flat files. As such, there is no client-side configuration at
29 all for the pam/nss stub libraries. (They talk to the server via a Unix domain
30 socket whose path is hardcoded to /var/run/nslcd/). As a side benefit, this
31 can finally eliminate the perpetual confusion over /etc/ldap.conf vs
32 /etc/openldap/ldap.conf.
34 User authentication is performed by internal simple Binds. User authorization
35 leverages the slapd ACL engine, which offers much more power and flexibility
36 than the simple group/hostname checks in the old pam_ldap code.
38 To use this code, you will need the client-side stub library from
39 nss-ldapd (which resides in nss-ldapd/nss). You will not need the
40 nslcd daemon; this overlay replaces that part. You should already
41 be familiar with the [RFC2307] and [RFC2307bis] schema to use this
44 for more information on the schema and which features are supported.
46 To use the overlay add:
50 include <path to>nis.schema
52 moduleload <path to>nssov.so
61 to your slapd configuration file. (The nis.schema file contains
62 the original [RFC2307] schema. Some modifications will be needed to
65 The overlay may be configured with
66 .B Service Search Descriptors (SSDs)
67 for each NSS service that will be used. SSDs are configured using
71 nssov-ssd <service> <url>
75 where the <service> may be one of
93 and the <url> must be of the form
97 ldap:///[<basedn>][??[<scope>][?<filter>]]
103 will default to the first suffix of the current database.
106 defaults to "subtree". The default
108 depends on which service is being used.
110 If the local database is actually a proxy to a foreign LDAP server, some
111 mapping of schema may be needed. Some simple attribute substitutions may
116 nssov-map <service> <orig> <new>
122 for the original attribute names used in this code.
124 The overlay also supports dynamic configuration in cn=config. The layout
125 of the config entry is
129 dn: olcOverlay={0}nssov,ocDatabase={1}hdb,cn=config
130 objectClass: olcOverlayConfig
131 objectClass: olcNssOvConfig
133 olcNssSvc: passwd ldap:///ou=users,dc=example,dc=com??one
134 olcNssMap: passwd uid accountName
138 which enables the passwd service, and uses the accountName attribute to
139 fetch what is usually retrieved from the uid attribute.
141 PAM authentication, account management, session management, and password
142 management are supported.
144 Authentication is performed using Simple Binds. Since all operations occur
145 inside the slapd overlay, "fake" connections are used and they are
146 inherently secure. Two methods of mapping the PAM username to an LDAP DN
148 the mapping can be accomplished using slapd's authz-regexp facility. In
149 this case, a DN of the form
150 .B cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth
151 is fed into the regexp matcher. If a match is produced, the resulting DN
152 is used. Otherwise, the NSS passwd map is invoked (which means it must already
155 If no DN is found, the overlay returns PAM_USER_UNKNOWN. If the DN is
156 found, and Password Policy is supported, then the Bind will use the
157 Password Policy control and return expiration information to PAM.
159 Account management also uses two methods. These methods depend on the
160 ldapns.schema included with the nssov source.
162 The first is identical to the method used in PADL's pam_ldap module:
163 host and authorizedService attributes may be looked up in the user's entry,
164 and checked to determine access. Also a check may be performed to see if
165 the user is a member of a particular group. This method is pretty
166 inflexible and doesn't scale well to large networks of users, hosts,
169 The second uses slapd's ACL engine to check if the user has "compare"
170 privilege on an ipHost object whose name matches the current hostname, and
171 whose authorizedService attribute matches the current service name. This
172 method is preferred, since it allows authorization to be centralized in
173 the ipHost entries instead of scattered across the entire user population.
174 The ipHost entries must have an authorizedService attribute (e.g. by way
175 of the authorizedServiceObject auxiliary class) to use this method.
177 Session management: the overlay may optionally add a "logged in" attribute
178 to a user's entry for successful logins, and delete the corresponding
179 value upon logout. The attribute value is of the form
180 .B <generalizedTime> <host> <service> <tty> (<ruser@rhost>)
181 Password management: the overlay will perform a PasswordModify exop
182 in the server for the given user.
186 default slapd configuration file
189 .BR slapd\-config (5),
193 Originally implemented by Howard Chu; man page Gavin Henry, Suretec Systems Ltd.