example_configs: Update PAM integration

* Add more information for PAM integration: * Add info that custom attributes only work on nightly * Add sample lldap-cli command to set attribute * Modify nslcd to use unix-uid/gid directly as it is now supported * Add readme for PAM integration, removing the need for is-unix-user/group.
2024-11-24 08:45:08 +00:00 · 2024-09-16 18:19:03 -04:00 · 2024-09-16 18:19:03 -04:00 · a2ba71ac19
commit a2ba71ac19
parent 10a820f2a2
2 changed files with 22 additions and 12 deletions
--- a/example_configs/pam/README.md
+++ b/example_configs/pam/README.md
@ -1,3 +1,7 @@
+> [!IMPORTANT]
+> The integration requires custom ldap properties which are not supported on
+> stable (as of 2024-09-19), please use nightly/latest tag.
+
 # Configure lldap

 You MUST use LDAPS. You MUST NOT use plain ldap. Even over a private network
@ -42,13 +46,16 @@ The provided implementation uses custom attributes to mark users and groups
 that should be included in the system (for instance, you don't want LDAP
 accounts of other services to have a matching unix user).

-For users, you need to add an (integer) `is-unix-user` attribute, set manually
-to 1 for the users you want to enable. This could also be implemented as a
-group membership.
+> [!TIP]
+> You can create custom attributes in the Web UI, but to provide values, you
+> need to communicate with the API, see [scripting]. Example using lldap-cli:
+> `./lldap-cli user update set example-user unix-uid 5000`

-For groups, you need an (integer) `is-unix-group` attribute, similarly set to 1
-(this cannot be replaced by group membership until LLDAP supports nested group
-memberships).
+For users, you need to add an (integer) `unix-uid` attribute to the schema, and
+manually set the value for the users you want to enable to login with PAM.
+
+For groups, you need an (integer) `unix-gid` attribute, similarly set manually
+to some value.

 If you want to change this representation, update the `filter passwd` and
 `filter group` accordingly.
@ -87,3 +94,6 @@ You're done!
 ## Clearing nscd caches.

 If you want to manually clear nscd's caches, run `nscd -i passwd; nscd -i group`.
+
+[scripting]: https://github.com/lldap/lldap/blob/main/docs/scripting.md
+
--- a/example_configs/pam/nslcd.conf
+++ b/example_configs/pam/nslcd.conf
@ -16,8 +16,8 @@ base dc=example,dc=net
 #ldap_version 3

 # The DN to bind with for normal lookups.
-#binddn cn=...,ou=people,dc=example,dc=com
-#bindpw ...
+binddn cn=...,ou=people,dc=example,dc=com
+bindpw ...

 # The DN used for password modifications by root.
 #rootpwmoddn cn=admin,dc=example,dc=com
@ -34,17 +34,17 @@ reconnect_invalidate passwd group
 nss_initgroups_ignoreusers ALLLOCAL

 # Do you have users/groups that aren't for linux?  These filters determine which user/group objects are used.
-filter passwd (&(objectClass=posixAccount)(is-unix-user=1))
-filter group (&(objectClass=groupOfUniqueNames)(is-unix-group=1))
+filter passwd (&(objectClass=posixAccount)(unix-uid=*))
+filter group (&(objectClass=groupOfUniqueNames)(unix-gid=*))

 # This check is done AFTER authentication, in the pam "account" stage.
 # Regardless of if they used a LDAP password, or an SSH key, if they're an LDAP user, they have to pass this check.
-pam_authz_search (&(objectClass=posixAccount)(is-unix-user=1)(unix-username=$username)(memberOf=cn=YOUR_LOGIN_GROUP_FOR_THIS_MACHINE,ou=groups,dc=example,dc=com))
+pam_authz_search (&(objectClass=posixAccount)(unix-uid=*)(unix-username=$username)(memberOf=cn=YOUR_LOGIN_GROUP_FOR_THIS_MACHINE,ou=groups,dc=example,dc=com))


 map passwd uid unix-username
 map passwd uidNumber unix-uid
-map passwd gidNumber unix-uid
+map passwd gidNumber unix-gid
 map passwd gecos unix-username
 map passwd homeDirectory "/home/${unix-username}"
 map passwd loginShell unix-shell