# This file is part of the libnss-mapuser package. # It should be world readable. It does not contain any security # sensitive information. # # Edit /etc/nsswitch.conf to add mapuser and mapuid to the passwd lookup, # similar to the example below. # mapuid must be the be prior to compat, since uid lookups would # otherwise always match via compat, and mapuser must be last, since # it always matches anything. # passwd: mapuid compat mapuser # if set, errors and other issues are logged with syslog # debug=1 # min_uid is the minimum uid to lookup. Setting this to 0 # means uid 0 (root) is never looked up, good for robustness and performance # Cumulus Linux ships with it set to 1001, so we never lookup system # users, or the standard "cumulus" account. You may want to change this # to the value of the radius_user account. min_uid=1000 # This is a comma separated list of usernames that are never mapped # because they are standard accounts. They cause an early not found # return. # # "*" is not a wild card. While it's not a legal username, it turns out # that during pathname completion, bash can do an NSS lookup on "*" # To avoid server round trip delays, or worse, unreachable server delays # on filename completion, we include "*" in the exclusion list. # User names starting with "tacacs[0-9]" are also ignored, in case the # tacplus client packages are installed. User names matching # the mapped_user and mapped_priv_user configuration fields are also ignored. exclude_users=root,daemon,nobody,cron,sshd,cumulus,quagga,frr,snmp,www-data,ntp,man,* # Map all usernames to the radius_user account (use the uid, gid, shell, and # base of the home directory from the cumulus entry in /etc/passwd). mapped_user=radius_user # if you change the account for mapped_priv_user, you must change it in # /etc/pam_radius_auth.conf as well. mapped_priv_user=radius_priv_user