diff --git a/example_configs/pam/README.md b/example_configs/pam/README.md index f9eabb2..493cf13 100644 --- a/example_configs/pam/README.md +++ b/example_configs/pam/README.md @@ -1,3 +1,7 @@ +> [!IMPORTANT] +> The integration requires custom ldap properties which are not supported on +> stable (as of 2024-09-19), please use nightly/latest tag. + # Configure lldap You MUST use LDAPS. You MUST NOT use plain ldap. Even over a private network @@ -42,13 +46,16 @@ The provided implementation uses custom attributes to mark users and groups that should be included in the system (for instance, you don't want LDAP accounts of other services to have a matching unix user). -For users, you need to add an (integer) `is-unix-user` attribute, set manually -to 1 for the users you want to enable. This could also be implemented as a -group membership. +> [!TIP] +> You can create custom attributes in the Web UI, but to provide values, you +> need to communicate with the API, see [scripting]. Example using lldap-cli: +> `./lldap-cli user update set example-user unix-uid 5000` -For groups, you need an (integer) `is-unix-group` attribute, similarly set to 1 -(this cannot be replaced by group membership until LLDAP supports nested group -memberships). +For users, you need to add an (integer) `unix-uid` attribute to the schema, and +manually set the value for the users you want to enable to login with PAM. + +For groups, you need an (integer) `unix-gid` attribute, similarly set manually +to some value. If you want to change this representation, update the `filter passwd` and `filter group` accordingly. @@ -87,3 +94,6 @@ You're done! ## Clearing nscd caches. If you want to manually clear nscd's caches, run `nscd -i passwd; nscd -i group`. + +[scripting]: https://github.com/lldap/lldap/blob/main/docs/scripting.md + diff --git a/example_configs/pam/nslcd.conf b/example_configs/pam/nslcd.conf index 0e674d6..1bead16 100644 --- a/example_configs/pam/nslcd.conf +++ b/example_configs/pam/nslcd.conf @@ -16,8 +16,8 @@ base dc=example,dc=net #ldap_version 3 # The DN to bind with for normal lookups. -#binddn cn=...,ou=people,dc=example,dc=com -#bindpw ... +binddn cn=...,ou=people,dc=example,dc=com +bindpw ... # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com @@ -34,17 +34,17 @@ reconnect_invalidate passwd group nss_initgroups_ignoreusers ALLLOCAL # Do you have users/groups that aren't for linux? These filters determine which user/group objects are used. -filter passwd (&(objectClass=posixAccount)(is-unix-user=1)) -filter group (&(objectClass=groupOfUniqueNames)(is-unix-group=1)) +filter passwd (&(objectClass=posixAccount)(unix-uid=*)) +filter group (&(objectClass=groupOfUniqueNames)(unix-gid=*)) # This check is done AFTER authentication, in the pam "account" stage. # Regardless of if they used a LDAP password, or an SSH key, if they're an LDAP user, they have to pass this check. -pam_authz_search (&(objectClass=posixAccount)(is-unix-user=1)(unix-username=$username)(memberOf=cn=YOUR_LOGIN_GROUP_FOR_THIS_MACHINE,ou=groups,dc=example,dc=com)) +pam_authz_search (&(objectClass=posixAccount)(unix-uid=*)(unix-username=$username)(memberOf=cn=YOUR_LOGIN_GROUP_FOR_THIS_MACHINE,ou=groups,dc=example,dc=com)) map passwd uid unix-username map passwd uidNumber unix-uid -map passwd gidNumber unix-uid +map passwd gidNumber unix-gid map passwd gecos unix-username map passwd homeDirectory "/home/${unix-username}" map passwd loginShell unix-shell