.TH SLAPO-NSSOV 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2010 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copyright 1998-2014 The OpenLDAP Foundation, All Rights Reserved.
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
overlay to
.BR slapd (8)
services NSS and PAM requests through a local Unix Domain socket.
-It uses the same IPC protocol as Arthur de Jong's nss-ldapd, and
-a complete copy of the nss-ldapd source is included along with the
-nssov source code.
+It uses the same IPC protocol as Arthur de Jong's nss-pam-ldapd.
+An extract of the nss-ldapd source is included along with the
+nssov source code to allow the overlay to communicate with the
+nss-pam-ldapd client stubs.
.LP
Using a separate IPC protocol for NSS and PAM requests eliminates the
libldap dependencies/clashes that the current pam_ldap/nss_ldap solutions
all suffer from. Both the original nss-ldapd and this nssov solution
are free from these library issues.
.LP
-Unlike nss-ldapd, since this overlay executes inside slapd it allows for
+Unlike nss-pam-ldapd, since this overlay executes inside slapd it allows for
the possibility of sophisticated caching, without any of the weaknesses of
nscd and other related caching solutions. E.g., a remote LDAP database can
be accessed using back-ldap with proxy caching (see
administered centrally via LDAP, instead of having fragile rules scattered
across multiple flat files. As such, there is no client-side configuration at
all for the NSS/PAM stub libraries. (The stubs talk to the server via a Unix
-domain socket whose path is hardcoded to /var/run/nslcd/). As a side benefit,
+domain socket whose path is hardcoded to NSLCDPATH). As a side benefit,
this can finally eliminate the perpetual confusion between OpenLDAP's
ldap.conf file in ETCDIR/ldap.conf and the similarly named files typically
used by pam_ldap and nss_ldap.
than the simple group/hostname checks in the old pam_ldap code.
.LP
To use this code, you will need the client-side stub library from
-nss-ldapd (which resides in nss-ldapd/nss). You will not need the
-nslcd daemon; this overlay replaces that part. You should already
-be familiar with the [RFC2307] and [RFC2307bis] schema to use this
-overlay. See the
-.B nss-ldapd/README
-for more information on the schema and which features are supported.
+nss-pam-ldapd. You can get it from:
+http://arthurdejong.org/nss-pam-ldapd
+You will not need the nslcd daemon; this overlay replaces that part.
+To disable building of the nslcd daemon in nss-pam-ldapd, add the
+--disable-nslcd option to the nss-pam-ldapd configure script. You
+should already be familiar with the RFC2307 and RFC2307bis schema
+to use this overlay. See the nss-pam-ldapd README for more information
+on the schema and which features are supported.
.LP
You will also need to include the nis.schema in your slapd configuration
for RFC2307 support. If you wish to use RFC2307bis you will need a slightly
.B usergroup
option has been set.
.TP
-.B nssov-pam-minuid <integer>
+.B nssov-pam-min-uid <integer>
Specify a minimum uid that is allowed to login. Users with a uidNumber
lower than this value will be denied access. The default is zero, which
disables this setting.
.TP
-.B nssov-pam-maxuid <integer>
+.B nssov-pam-max-uid <integer>
Specify a maximum uid that is allowed to login. Users with a uidNumber
higher than this value will be denied access. The default is zero, which
disables this setting.
.B nssov-pam-session <service>
Specify a PAM service name whose sessions will be recorded. For the
configured services, logins will be recorded in the
+.TP
+.B nssov-pam-password-prohibit-message <message>
+Diable password change service and return the specified message to
+users.
+.TP
+.B nssov-pam-pwdmgr-dn <dn>
+Specify the dn of the password manager.
+.TP
+.B nssov-pam-pwdmgr-pwd <pwd>
+Specify the pwd of the password manager.
+.TP
.B loginStatus
operational attribute of the user's entry. The attribute's values are
of the form
.BR slapd (8).
.SH AUTHOR
Howard Chu, inspired by nss-ldapd by Arthur de Jong and pam_ldap by Luke Howard
+Enhancements by Ted C. Cheng, Symas Corp.
projects / openldap / blobdiff