[Date Prev][Date Next] [Chronological] [Thread] [Top]

Starting out with NSS overlay - Guidance required

To: openldap-technical@openldap.org
Subject: Starting out with NSS overlay - Guidance required
From: ptw <pmatulis@papamike.ca>
Date: Fri, 9 Dec 2011 14:47:46 -0500

Hi gang!

I'm looking for some guidance in what is most probably a very common
objective.  Which is to manage all authentication to network hosts
from slapd.  To begin, my goal is to have:

1. one machine (generically-configured LDAP client) running sshd
(10.153.107.100)
2. multiple LDAP users
3. specify, from slapd, that only one user (tony) can log in over ssh
to the machine

Surprisingly, I have not found much documentation on this stuff beyond
the slapo-nssov man page.  Anyway, I have some LDIF entries ready to
go but I'm feeling very uneasy about dumping them in and hoping for
the best.  I would rather learn more about how this all works together
and hopefully get some pointers/gotchas from others who have done this
before.  That's why I'm writing this email.  In particular, at this
point I only want the bare necessities to achieve my simple goad
specified above.

My slapd server has the nis and ldapns schemas configured and the
client machine has libnss-ldapd (applied to group and passwd services)
and libpam-ldapd.  All systems are running Ubuntu 11.10.  I have
manually disabled nslcd on the Ubuntu client machine (sudo update-rc.d
nslcd disable).

These are the entries I have so far:

for slapd-config:

# NSSOV
dn: olcOverlay=nssov,ocDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcNssOvConfig
olcOverlay: nssov
olcNssSsd: passwd ldap:///ou=People,dc=example,dc=com??one
olcNssSsd: group ldap:///ou=People,dc=example,dc=com??one
olcNssSsd: hosts ldap:///ou=People,dc=example,dc=com??one
olcNssPam: hostservice uid2dn
olcNssPamSession: sshd

# ACL
dn: olcDatabase={1}hdb,cn=config
olcAccess: to attrs=userPassword by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * none
olcAccess: to * by self write by * read
olcAccess: to dn.exact=cn=host1.example.com,ou=Hosts,dc=example,dc=com
attrs=authorizedservice
by dn.exact=cn=ssh,ou=host1,ou=server_access,ou=Groups,dc=example,dc=com compare
 by * read

==================

The sshd host, user & group entries from my regular hdb-based DIT:

# NSSOV HOST and USER
dn: cn=host1.example.com,ou=Hosts,dc=example,dc=com
objectClass: device
objectClass: top
objectClass: ipHost
objectClass: authorizedServiceObject
cn=host1.example.com
ipHostNumber: 10.153.107.100
authorizedService: sshd

dn: cn=ssh,ou=host1,ou=server_access,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: ssh-host1-server_access
gidNumber: 6000

dn: uid=tony,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: tony
cn: Tony Doe
uidNumber: 11000
gidNumber: 6000
userPassword: tonyldap
loginShell: /bin/bash
homeDirectory: /home/tony

===================

Anyone?

Thanks in advance,

Peter

Follow-Ups:
- Re: Starting out with NSS overlay - Guidance required
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Seemingly broken database
Next by Date: Re: Seemingly broken database
Index(es):
- Chronological
- Thread