Provided by: slapd_2.4.49+dfsg-2ubuntu1.10_amd64 
NAME
slapo-nssov - NSS and PAM requests through a local Unix Domain socket
SYNOPSIS
ETCDIR/slapd.conf
DESCRIPTION
The nssov overlay to slapd(8) services NSS and PAM requests through a local Unix Domain socket. It uses
the same IPC protocol as Arthur de Jong's nss-pam-ldapd. An extract of the nss-ldapd source is included
along with the nssov source code to allow the overlay to communicate with the nss-pam-ldapd client stubs.
Using a separate IPC protocol for NSS and PAM requests eliminates the libldap dependencies/clashes that
the current pam_ldap/nss_ldap solutions all suffer from. Both the original nss-ldapd and this nssov
solution are free from these library issues.
Unlike nss-pam-ldapd, since this overlay executes inside slapd it allows for the possibility of
sophisticated caching, without any of the weaknesses of nscd and other related caching solutions. E.g., a
remote LDAP database can be accessed using back-ldap with proxy caching (see slapd-ldap(5) and slapo-
pcache(5) ) to leverage back-ldap's connection pooling as well as pcache's persistent caching, to provide
high performance and a measure of support for disconnected operation. Alternatively, cache
considerations can be completely eliminated by running a regular database with syncrepl to maintain
synchronization with a remote LDAP database.
Another major benefit of nssov is that it allows all security policy to be administered centrally via
LDAP, instead of having fragile rules scattered across multiple flat files. As such, there is no client-
side configuration at all for the NSS/PAM stub libraries. (The stubs talk to the server via a Unix domain
socket whose path is hardcoded to NSLCDPATH). As a side benefit, this can finally eliminate the perpetual
confusion between OpenLDAP's ldap.conf file in ETCDIR/ldap.conf and the similarly named files typically
used by pam_ldap and nss_ldap.
User authentication is performed by internal simple Binds. User authorization leverages the slapd ACL
engine, which offers much more power and flexibility than the simple group/hostname checks in the old
pam_ldap code.
To use this code, you will need the client-side stub library from nss-pam-ldapd. You can get it from:
http://arthurdejong.org/nss-pam-ldapd You will not need the nslcd daemon; this overlay replaces that
part. To disable building of the nslcd daemon in nss-pam-ldapd, add the --disable-nslcd option to the
nss-pam-ldapd configure script. You should already be familiar with the RFC2307 and RFC2307bis schema to
use this overlay. See the nss-pam-ldapd README for more information on the schema and which features are
supported.
You will also need to include the nis.schema in your slapd configuration for RFC2307 support. If you wish
to use RFC2307bis you will need a slightly different schema. You will also need the ldapns.schema for PAM
authorization management.
You must select ldap in the appropriate services in /etc/nsswitch.conf in order for these NSS features to
take effect. Likewise, you must enable pam_ldap for the authenticate, account, session, and password
services in /etc/pam.conf or /etc/pam.d for these PAM features to take effect.
overlay nssov
This directive adds the nssov overlay to the current backend.
nssov-ssd <service> <url>
This directive configures a Service Search Descriptor (SSD) for each NSS service that will be
used. The <service> may be one of
aliases
ethers
group
hosts
netgroup
networks
passwd
protocols
rpc
services
shadow
and the <url> must be of the form
ldap:///[<basedn>][??[<scope>][?<filter>]]
The <basedn> will default to the first suffix of the current database. The <scope> defaults to
"subtree". The default <filter> depends on which service is being used.
nssov-map <service> <orig> <new>
If the local database is actually a proxy to a foreign LDAP server, some mapping of schema may be
needed. This directive allows some simple attribute substitutions to be performed. See the nss-
ldapd/README for the original attribute names used in this code.
nssov-pam <option> [...]
This directive determines a number of PAM behaviors. Multiple options may be used at once, and
available levels are:
userhost
check host attribute in user entry for authorization
userservice
check authorizedService attribute in user entry for authorization
usergroup
check that user is a member of specific group for authorization
hostservice
check authorizedService attribute in host entry for authorization
authz2dn
use authz-regexp mapping to map uid to LDAP DN
uid2dn use NSS passwd SSD to map uid to LDAP DN
Setting the userhost, userservice, and usergroup options duplicates the original pam_ldap
authorization behavior.
The recommended approach is to use hostservice instead. In this case, ipHost entries must be
created for all hosts being managed, and they must also have the authorizedServiceObject class to
allow authorizedService attributes to be used. Also the NSS host SSD must be configured so that
ipHost entries can be found. Authorization is checked by performing an LDAP Compare operation
looking for the PAM service name in the authorizedService attribute. slapd ACLs should be set to
grant or deny Compare privilege to the appropriate users or groups as desired.
If the authz2dn option is set then authz-regexp mappings will be used to map the PAM username to
an LDAP DN. The authentication DN will be of the form
cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth
If no mapping is found for this authentication DN, then this mapping will be ignored.
If the uid2dn option is set then the NSS passwd SSD will be used to map the PAM username to an
LDAP DN. The passwd SSD must have already been configured for this mapping to succeed.
If neither the authz2dn nor the uid2dn mapping succeeds, the module will return a PAM_USER_UNKNOWN
failure code. If both options are set, the authz mapping is attempted first; if it succeeds the
uid2dn mapping will be skipped.
By default only the uid2dn option is set.
nssov-pam-defhost <hostname>
Specify a default hostname to check if an ipHost entry for the current hostname cannot be found.
This setting is only relevant if the hostservice option has been set.
nssov-pam-group-dn <DN>
Specify the DN of an LDAP group to check for authorization. The LDAP user must be a member of this
group for the login to be allowed. There is no default value. This setting is only relevant if the
usergroup option has been set.
nssov-pam-group-ad <attribute>
Specify the attribute to use for group membership checks. There is no default value. This
setting is only relevant if the usergroup option has been set.
nssov-pam-min-uid <integer>
Specify a minimum uid that is allowed to login. Users with a uidNumber lower than this value will
be denied access. The default is zero, which disables this setting.
nssov-pam-max-uid <integer>
Specify a maximum uid that is allowed to login. Users with a uidNumber higher than this value will
be denied access. The default is zero, which disables this setting.
nssov-pam-template-ad <attribute>
Specify an attribute to check in a user's entry for a template login name. The template login
feature is used by FreeBSD's PAM framework. It can be viewed as a form of proxying, where a user
can authenticate with one username/password pair, but is assigned the identity and credentials of
the template user. This setting is disabled by default.
nssov-pam-template <name>
Specify a default username to be used if no template attribute is found in the user's entry. The
nssov-pam-template-ad directive must be configured for this setting to have any effect.
nssov-pam-session <service>
Specify a PAM service name whose sessions will be recorded. For the configured services, logins
will be recorded in the
nssov-pam-password-prohibit-message <message>
Diable password change service and return the specified message to users.
nssov-pam-pwdmgr-dn <dn>
Specify the dn of the password manager.
nssov-pam-pwdmgr-pwd <pwd>
Specify the pwd of the password manager.
loginStatus
operational attribute of the user's entry. The attribute's values are of the form
<generalizedTime> <host> <service> <tty> (<ruser@rhost>)
Upon logout the corresponding value will be deleted. This feature allows a single LDAP Search to be used
to check which users are logged in across all the hosts of a network. The rootdn of the database is used
to perform the updates of the loginStatus attribute, so a rootdn must already be configured for this
feature to work. By default no services are configured.
The PAM functions support LDAP Password Policy as well. If the password policy overlay is in use (see
slapo-ppolicy(5)), policy information (e.g. password expiration, password quality, etc.) may be returned
to the PAM client as a result of authentication, account management, and password modification requests.
The overlay also supports dynamic configuration in cn=config. An example of the config entry is
dn: olcOverlay={0}nssov,ocDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcNssOvConfig
olcOverlay: {0}nssov
olcNssSsd: passwd ldap:///ou=users,dc=example,dc=com??one
olcNssMap: passwd uid accountName
olcNssPam: hostservice uid2dn
olcNssPamDefHost: defaulthost
olcNssPamMinUid: 500
olcNssPamMaxUid: 32000
olcNssPamSession: login
olcNssPamSession: sshd
which enables the passwd service, and uses the accountName attribute to fetch what is usually retrieved
from the uid attribute. It also enables some PAM authorization controls, and specifies that the PAM login
and sshd services should have their logins recorded.
FILES
ETCDIR/slapd.conf
default slapd configuration file
SEE ALSO
slapd.conf(5), slapd-config(5), slapd-ldap(5), slapo-pcache(5), slapo-ppolicy(5), slapd(8).
AUTHOR
Howard Chu, inspired by nss-ldapd by Arthur de Jong and pam_ldap by Luke Howard Enhancements by Ted C.
Cheng, Symas Corp.
OpenLDAP LDVERSION RELEASEDATE SLAPO-NSSOV(5)