Provided by: slapd_2.4.49+dfsg-2ubuntu1.10_amd64 bug

NAME

       slapo-nssov - NSS and PAM requests through a local Unix Domain socket

SYNOPSIS

       ETCDIR/slapd.conf

DESCRIPTION

       The  nssov  overlay  to slapd(8) services NSS and PAM requests through a local Unix Domain
       socket.  It uses the same IPC protocol as Arthur de Jong's nss-pam-ldapd.  An  extract  of
       the  nss-ldapd source is included along with the nssov source code to allow the overlay to
       communicate with the nss-pam-ldapd client stubs.

       Using  a  separate  IPC  protocol  for  NSS  and  PAM  requests  eliminates  the   libldap
       dependencies/clashes  that  the  current pam_ldap/nss_ldap solutions all suffer from. Both
       the original nss-ldapd and this nssov solution are free from these library issues.

       Unlike nss-pam-ldapd,  since  this  overlay  executes  inside  slapd  it  allows  for  the
       possibility  of  sophisticated  caching,  without  any of the weaknesses of nscd and other
       related caching solutions. E.g., a remote LDAP database can be  accessed  using  back-ldap
       with  proxy  caching  (see  slapd-ldap(5)  and  slapo-pcache(5)  ) to leverage back-ldap's
       connection pooling as well as pcache's persistent caching, to provide high performance and
       a  measure of support for disconnected operation.  Alternatively, cache considerations can
       be completely  eliminated  by  running  a  regular  database  with  syncrepl  to  maintain
       synchronization with a remote LDAP database.

       Another  major  benefit  of nssov is that it allows all security policy to be administered
       centrally via LDAP, instead of having fragile rules scattered across multiple flat  files.
       As such, there is no client-side configuration at all for the NSS/PAM stub libraries. (The
       stubs talk to the server via a Unix domain socket whose path is hardcoded  to  NSLCDPATH).
       As  a  side benefit, this can finally eliminate the perpetual confusion between OpenLDAP's
       ldap.conf file in ETCDIR/ldap.conf  and  the  similarly  named  files  typically  used  by
       pam_ldap and nss_ldap.

       User  authentication  is  performed by internal simple Binds. User authorization leverages
       the slapd ACL engine, which offers  much  more  power  and  flexibility  than  the  simple
       group/hostname checks in the old pam_ldap code.

       To  use this code, you will need the client-side stub library from nss-pam-ldapd.  You can
       get it from: http://arthurdejong.org/nss-pam-ldapd You will not  need  the  nslcd  daemon;
       this  overlay  replaces  that  part.   To disable building of the nslcd daemon in nss-pam-
       ldapd, add the --disable-nslcd option to the nss-pam-ldapd configure  script.  You  should
       already  be  familiar with the RFC2307 and RFC2307bis schema to use this overlay.  See the
       nss-pam-ldapd README for more information on the schema and which features are supported.

       You will also need to include the nis.schema  in  your  slapd  configuration  for  RFC2307
       support. If you wish to use RFC2307bis you will need a slightly different schema. You will
       also need the ldapns.schema for PAM authorization management.

       You must select ldap in the appropriate services in /etc/nsswitch.conf in order for  these
       NSS  features  to  take  effect.  Likewise, you must enable pam_ldap for the authenticate,
       account, session, and password services in  /etc/pam.conf  or  /etc/pam.d  for  these  PAM
       features to take effect.

       overlay nssov
              This directive adds the nssov overlay to the current backend.

       nssov-ssd <service> <url>
              This  directive  configures  a Service Search Descriptor (SSD) for each NSS service
              that will be used.  The <service> may be one of
                  aliases
                  ethers
                  group
                  hosts
                  netgroup
                  networks
                  passwd
                  protocols
                  rpc
                  services
                  shadow
       and the <url> must be of the form

              ldap:///[<basedn>][??[<scope>][?<filter>]]
       The <basedn> will default to the first  suffix  of  the  current  database.   The  <scope>
       defaults to "subtree". The default <filter> depends on which service is being used.

       nssov-map <service> <orig> <new>
              If the local database is actually a proxy to a foreign LDAP server, some mapping of
              schema may be needed. This directive allows some simple attribute substitutions  to
              be  performed.  See  the  nss-ldapd/README for the original attribute names used in
              this code.

       nssov-pam <option> [...]
              This directive determines a number of PAM behaviors. Multiple options may  be  used
              at once, and available levels are:
                     userhost
                            check host attribute in user entry for authorization
                     userservice
                            check authorizedService attribute in user entry for authorization
                     usergroup
                            check that user is a member of specific group for authorization
                     hostservice
                            check authorizedService attribute in host entry for authorization
                     authz2dn
                            use authz-regexp mapping to map uid to LDAP DN
                     uid2dn use NSS passwd SSD to map uid to LDAP DN

              Setting  the  userhost,  userservice, and usergroup options duplicates the original
              pam_ldap authorization behavior.

              The recommended approach is to  use  hostservice  instead.  In  this  case,  ipHost
              entries  must  be  created for all hosts being managed, and they must also have the
              authorizedServiceObject class to allow authorizedService  attributes  to  be  used.
              Also  the  NSS  host  SSD  must  be configured so that ipHost entries can be found.
              Authorization is checked by performing an LDAP Compare operation  looking  for  the
              PAM  service  name in the authorizedService attribute.  slapd ACLs should be set to
              grant or deny Compare privilege to the appropriate users or groups as desired.

              If the authz2dn option is set then authz-regexp mappings will be used  to  map  the
              PAM username to an LDAP DN. The authentication DN will be of the form
                     cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth

              If  no  mapping  is  found  for  this  authentication DN, then this mapping will be
              ignored.

              If the uid2dn option is set then the NSS passwd SSD will be used  to  map  the  PAM
              username  to  an LDAP DN. The passwd SSD must have already been configured for this
              mapping to succeed.

              If neither the authz2dn nor the uid2dn mapping succeeds, the module will  return  a
              PAM_USER_UNKNOWN  failure  code.  If  both  options  are  set, the authz mapping is
              attempted first; if it succeeds the uid2dn mapping will be skipped.

              By default only the uid2dn option is set.

       nssov-pam-defhost <hostname>
              Specify a default hostname to check if an ipHost entry  for  the  current  hostname
              cannot  be  found. This setting is only relevant if the hostservice option has been
              set.

       nssov-pam-group-dn <DN>
              Specify the DN of an LDAP group to check for authorization. The LDAP user must be a
              member  of  this group for the login to be allowed. There is no default value. This
              setting is only relevant if the usergroup option has been set.

       nssov-pam-group-ad <attribute>
              Specify the attribute to use for group membership  checks.   There  is  no  default
              value.  This setting is only relevant if the usergroup option has been set.

       nssov-pam-min-uid <integer>
              Specify  a  minimum uid that is allowed to login. Users with a uidNumber lower than
              this value will be denied access. The default is zero, which disables this setting.

       nssov-pam-max-uid <integer>
              Specify a maximum uid that is allowed to login. Users with a uidNumber higher  than
              this value will be denied access. The default is zero, which disables this setting.

       nssov-pam-template-ad <attribute>
              Specify  an  attribute  to  check in a user's entry for a template login name.  The
              template login feature is used by FreeBSD's PAM framework. It can be  viewed  as  a
              form  of  proxying,  where a user can authenticate with one username/password pair,
              but is assigned the identity and credentials of the template user. This setting  is
              disabled by default.

       nssov-pam-template <name>
              Specify  a  default  username  to  be used if no template attribute is found in the
              user's entry. The nssov-pam-template-ad  directive  must  be  configured  for  this
              setting to have any effect.

       nssov-pam-session <service>
              Specify  a  PAM  service  name  whose sessions will be recorded. For the configured
              services, logins will be recorded in the

       nssov-pam-password-prohibit-message <message>
              Diable password change service and return the specified message to users.

       nssov-pam-pwdmgr-dn <dn>
              Specify the dn of the password manager.

       nssov-pam-pwdmgr-pwd <pwd>
              Specify the pwd of the password manager.

       loginStatus
              operational attribute of the user's entry. The attribute's values are of the form
                     <generalizedTime> <host> <service> <tty> (<ruser@rhost>)
       Upon logout the corresponding value will be deleted. This feature  allows  a  single  LDAP
       Search  to  be  used to check which users are logged in across all the hosts of a network.
       The rootdn of the database is used to perform the updates of the loginStatus attribute, so
       a  rootdn  must already be configured for this feature to work. By default no services are
       configured.

       The PAM functions support LDAP Password Policy as well. If the password policy overlay  is
       in  use  (see  slapo-ppolicy(5)),  policy  information (e.g. password expiration, password
       quality, etc.)  may be returned to the PAM client as a result of  authentication,  account
       management, and password modification requests.

       The  overlay  also  supports  dynamic configuration in cn=config. An example of the config
       entry is

                  dn: olcOverlay={0}nssov,ocDatabase={1}hdb,cn=config
                  objectClass: olcOverlayConfig
                  objectClass: olcNssOvConfig
                  olcOverlay: {0}nssov
                  olcNssSsd: passwd ldap:///ou=users,dc=example,dc=com??one
                  olcNssMap: passwd uid accountName
                  olcNssPam: hostservice uid2dn
                  olcNssPamDefHost: defaulthost
                  olcNssPamMinUid: 500
                  olcNssPamMaxUid: 32000
                  olcNssPamSession: login
                  olcNssPamSession: sshd

       which enables the passwd service, and uses the accountName  attribute  to  fetch  what  is
       usually retrieved from the uid attribute. It also enables some PAM authorization controls,
       and specifies that the PAM login and sshd services should have their logins recorded.

FILES

       ETCDIR/slapd.conf
              default slapd configuration file

SEE ALSO

       slapd.conf(5),   slapd-config(5),   slapd-ldap(5),   slapo-pcache(5),    slapo-ppolicy(5),
       slapd(8).

AUTHOR

       Howard  Chu,  inspired  by  nss-ldapd  by  Arthur  de  Jong  and  pam_ldap  by Luke Howard
       Enhancements by Ted C. Cheng, Symas Corp.