From 33801fc3071c8a161250b15c3815fc19ca20e41a Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Thu, 22 Jun 2017 09:27:28 -0700 Subject: Fixed naming of nss_mapuser.5 and conf file; naming in manpages --- Makefile | 2 +- README | 4 +-- debian/libnss-mapuser.manpages | 2 +- map_common.c | 2 +- mapuser_nss.5 | 67 ------------------------------------------ mapuser_nss.conf | 32 -------------------- nss_mapuser.5 | 67 ++++++++++++++++++++++++++++++++++++++++++ nss_mapuser.8 | 6 ++-- nss_mapuser.conf | 34 +++++++++++++++++++++ 9 files changed, 109 insertions(+), 107 deletions(-) delete mode 100644 mapuser_nss.5 delete mode 100644 mapuser_nss.conf create mode 100644 nss_mapuser.5 create mode 100644 nss_mapuser.conf diff --git a/Makefile b/Makefile index 598123f..d32c8f5 100644 --- a/Makefile +++ b/Makefile @@ -44,7 +44,7 @@ install: all $(DESTDIR)$(LIBDIR)/${NSSNAMELIB} $(STRIP) --strip-all --keep-symbol=_nss_mapuid_getpwuid_r \ $(DESTDIR)$(LIBDIR)/${NSSUIDLIB} - install -m 644 mapuser_nss.conf $(DESTDIR)/etc/ + install -m 644 nss_mapuser.conf $(DESTDIR)/etc/ clean: rm -f *.o $(NSSNAMELIB) $(NSSUIDLIB) diff --git a/README b/README index efcec72..8542b5a 100644 --- a/README +++ b/README @@ -17,7 +17,7 @@ it is not possible to determine if a username is valid without authenticating at the same time. The mapping is done to a single account specified in the configuration -file /etc/mapuser_nss.conf. +file /etc/nss_mapuser.conf. The returned passwd field is always filled in as 'x', so that authentication of the base account is not possible through PAM. Only the mapped accounts @@ -40,7 +40,7 @@ This package will create the radius_user account with adduser if it does not already exist, and that is the default mapping in the configuration, and will add the group radius_users with the addgroup command. -The mapping can be changed in the configuration file /etc/mapuser_nss.conf. +The mapping can be changed in the configuration file /etc/nss_mapuser.conf. In that case, the account must already exist, or should be created with a command similar to: adduser --quiet --firstuid 1000 --disabled-login --ingroup GROUP \ diff --git a/debian/libnss-mapuser.manpages b/debian/libnss-mapuser.manpages index 37b163c..f6b63f5 100644 --- a/debian/libnss-mapuser.manpages +++ b/debian/libnss-mapuser.manpages @@ -1,2 +1,2 @@ -mapuser_nss.5 +nss_mapuser.5 nss_mapuser.8 diff --git a/map_common.c b/map_common.c index c274853..1c3bfa9 100644 --- a/map_common.c +++ b/map_common.c @@ -27,7 +27,7 @@ #include "map_common.h" #include -static const char config_file[] = "/etc/mapuser_nss.conf"; +static const char config_file[] = "/etc/nss_mapuser.conf"; #define DEF_MIN_UID 1001 /* fail lookups on uid's below this value */ diff --git a/mapuser_nss.5 b/mapuser_nss.5 deleted file mode 100644 index a12c0f8..0000000 --- a/mapuser_nss.5 +++ /dev/null @@ -1,67 +0,0 @@ -.TH mapuser_nss 5 -.\" Copyright 2017 Cumulus Networks, Inc. All rights reserved. -.SH NAME -mapuser_nss.conf \- NSS mapuser configuration file -.SH DESCRIPTION -This is the configuration file for the NSS mapuser plugins. -See the -.BR mapuser_nss (8) -manpage for more general information on the plugin. -This configuration file controls debug settings, the local account used -for mapping users, and which usernames (accounts) and uids are skipped. -.PP -.TP -.I debug=NUMBER -Output lookup debugging information via syslog(3). -.TP -.I exclude_users=user1,user2... -Usernames (accounts) comma separate list. This is used by mapname NSS plugin getpwuid() -entry point. The account to be looked up is checked against this list. If a match is -found, an immediate NOTFOUND status is returned. This reduces overhead for the standard -local user accounts. -.TP -.I mapped_user=NAME -This is the local account which mapping uses as a template. It must be a local -account (found in -.IR /etc/passwd ). -When a uid or name match is found, this account information is read from -.I /etc/passwd -and used as a template for the matching account. The -.B pw_name -field (user account name) -is replaced with the original (login) name, and the original name is -inserted at the beginning of the -.B pw_gecos -field. The -.B pw_dir -(home directory) -field replaces the last component of the directory path with the original login -name. -.IP -When changing this field to a different name than the default, be sure the account exists in -.IR /etc/passwd , -and that the account was created as disabled or locked (does not have a legal password, so -the -.I NAME -account can not be used for logins. When using -.IR adduser (8) -to create these accounts, use the -.B --disabled-login -argument to disable login for the account. -.TP -.I min_uid=NUMBER -UID's passed to the mapuid NSS plugin getpwuid() entry point that are below this value -cause an immediate NOTFOUND status to be returned. This reduces -overhead for the standard local user accounts. -.SH "SEE ALSO" -.BR adduser (8), -.BR pam_radius_auth (8), -.BR mapuser_nss (8), -.BR nsswitch.conf (5), -.BR getpwuid (3), -.BR getpwnam (3), -.SH FILES -.I /etc/nss_mapuser.conf -- mapuser NSS plugin configuration parameters -.SH AUTHOR -Dave Olson diff --git a/mapuser_nss.conf b/mapuser_nss.conf deleted file mode 100644 index 4ddc42d..0000000 --- a/mapuser_nss.conf +++ /dev/null @@ -1,32 +0,0 @@ -# This file is part of the libnss-mapuser pacakge. -# This file should be world readable. It does not contain any security -# sensitive information. -# -# Edit /etc/nsswitch.conf to add mapuer to the passwd lookup, similar to this -# where mapuser must be the be prior to compat, since uid lookups would -# otherwise always match via compat -# passwd: mapuser compat - -# if set, errors and other issues are logged with syslog -# debug=1 - -# min_uid is the minimum uid to lookup. Setting this to 0 -# means uid 0 (root) is never looked up, good for robustness and performance -# Cumulus Linux ships with it set to 1001, so we never lookup system -# users, or the standard "cumulus" account. You may want to change this -# to the value of the radius_user account. -min_uid=1001 - -# This is a comma separated list of usernames that are never mapped -# because they are standard accounts. They cause an early not found -# return. -# -# "*" is not a wild card. While it's not a legal username, it turns out -# that during pathname completion, bash can do an NSS lookup on "*" -# To avoid server round trip delays, or worse, unreachable server delays -# on filename completion, we include "*" in the exclusion list. -exclude_users=root,cumulus,man,ntp,sshd,frr,snmp,nobody,* - -# Map all usernames to the radius_user account (use the uid, gid, shell, and -# base of the home directory from the cumulus entry in /etc/passwd). -mapped_user=radius_user diff --git a/nss_mapuser.5 b/nss_mapuser.5 new file mode 100644 index 0000000..2bbabad --- /dev/null +++ b/nss_mapuser.5 @@ -0,0 +1,67 @@ +.TH nss_mapuser 5 +.\" Copyright 2017 Cumulus Networks, Inc. All rights reserved. +.SH NAME +nss_mapuser.conf \- NSS mapuser configuration file +.SH DESCRIPTION +This is the configuration file for the NSS mapuser plugins. +See the +.BR nss_mapuser (8) +manpage for more general information on the plugin. +This configuration file controls debug settings, the local account used +for mapping users, and which usernames (accounts) and uids are skipped. +.PP +.TP +.I debug=NUMBER +Output lookup debugging information via syslog(3). +.TP +.I exclude_users=user1,user2... +Usernames (accounts) comma separate list. This is used by mapname NSS plugin getpwuid() +entry point. The account to be looked up is checked against this list. If a match is +found, an immediate NOTFOUND status is returned. This reduces overhead for the standard +local user accounts. +.TP +.I mapped_user=NAME +This is the local account which mapping uses as a template. It must be a local +account (found in +.IR /etc/passwd ). +When a uid or name match is found, this account information is read from +.I /etc/passwd +and used as a template for the matching account. The +.B pw_name +field (user account name) +is replaced with the original (login) name, and the original name is +inserted at the beginning of the +.B pw_gecos +field. The +.B pw_dir +(home directory) +field replaces the last component of the directory path with the original login +name. +.IP +When changing this field to a different name than the default, be sure the account exists in +.IR /etc/passwd , +and that the account was created as disabled or locked (does not have a legal password, so +the +.I NAME +account can not be used for logins. When using +.IR adduser (8) +to create these accounts, use the +.B --disabled-login +argument to disable login for the account. +.TP +.I min_uid=NUMBER +UID's passed to the mapuid NSS plugin getpwuid() entry point that are below this value +cause an immediate NOTFOUND status to be returned. This reduces +overhead for the standard local user accounts. +.SH "SEE ALSO" +.BR adduser (8), +.BR pam_radius_auth (8), +.BR nss_mapuser (8), +.BR nsswitch.conf (5), +.BR getpwuid (3), +.BR getpwnam (3), +.SH FILES +.I /etc/nss_mapuser.conf +- mapuser NSS plugin configuration parameters +.SH AUTHOR +Dave Olson diff --git a/nss_mapuser.8 b/nss_mapuser.8 index c74694f..d19aad7 100644 --- a/nss_mapuser.8 +++ b/nss_mapuser.8 @@ -1,4 +1,4 @@ -.TH mapuser_nss 8 +.TH nss_mapuser 8 .\" Copyright 2017 Cumulus Networks, Inc. All rights reserved. .SH NAME libnss_mapname.so.2 \- NSS mapuser plugin @@ -7,7 +7,7 @@ libnss_mapuid.so.2 \- NSS mapuid plugin .SH DESCRIPTION These are the NSS mapuser plugins. See the -.BR mapuser_nss (5) +.BR nss_mapuser (5) manpage for information on configuration. These plugins are intended to be used with protocols such as RADIUS that do not provide enough information to define a linux account (uid, gid, home directory). @@ -99,7 +99,7 @@ end, the open script will also create the home directory using .BR mkhomedir_helper (8), .BR pam_radius_auth (8), .BR pam_script (8), -.BR mapuser_nss (5), +.BR nss_mapuser (5), .BR nsswitch.conf (5), .BR getpwuid (3), .BR getpwnam (3), diff --git a/nss_mapuser.conf b/nss_mapuser.conf new file mode 100644 index 0000000..cf9ad71 --- /dev/null +++ b/nss_mapuser.conf @@ -0,0 +1,34 @@ +# This file is part of the libnss-mapuser package. +# It should be world readable. It does not contain any security +# sensitive information. +# +# Edit /etc/nsswitch.conf to add mapuser and mapuid to the passwd lookup, +# similar to the example below. +# mapuid must be the be prior to compat, since uid lookups would +# otherwise always match via compat, and mapuser must be last, since +# it always matches anything. +# passwd: mapuid compat mapuser + +# if set, errors and other issues are logged with syslog +# debug=1 + +# min_uid is the minimum uid to lookup. Setting this to 0 +# means uid 0 (root) is never looked up, good for robustness and performance +# Cumulus Linux ships with it set to 1001, so we never lookup system +# users, or the standard "cumulus" account. You may want to change this +# to the value of the radius_user account. +min_uid=1001 + +# This is a comma separated list of usernames that are never mapped +# because they are standard accounts. They cause an early not found +# return. +# +# "*" is not a wild card. While it's not a legal username, it turns out +# that during pathname completion, bash can do an NSS lookup on "*" +# To avoid server round trip delays, or worse, unreachable server delays +# on filename completion, we include "*" in the exclusion list. +exclude_users=root,cumulus,man,ntp,sshd,frr,snmp,nobody,* + +# Map all usernames to the radius_user account (use the uid, gid, shell, and +# base of the home directory from the cumulus entry in /etc/passwd). +mapped_user=radius_user -- cgit v1.2.3