1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
.TH nss_mapuser 5
.\" Copyright 2017, 2018 Cumulus Networks, Inc. All rights reserved.
.SH NAME
nss_mapuser.conf \- NSS mapuser configuration file
.SH DESCRIPTION
This is the configuration file for the NSS mapuser and mapuid plugins.
See the
.BR nss_mapuser (8)
manpage for more general information on the plugins.
.P
This configuration file controls debug settings, the local accounts used for mapping
users, and the list of usernames (accounts) and uids that are skipped (not looked up by
this plugin).
.TP
.I debug=NUMBER
Output lookup debugging information via syslog(3).
.TP
.I exclude_users=user1,user2...
Usernames (accounts) comma separate list. This is used by the NSS mapuser plugin getpwuid()
entry point. The account to be looked up is checked against this list. If a match is
found, an immediate NOTFOUND status is returned. This reduces overhead for the standard
local user accounts. The
.I mapped_user
and
.I mapped_priv_user
fields from the
configuration file are always skipped, as are any names starting with
.BR tacacs[0-9] .
.TP
.I map_min_uid=NUMBER
UID's passed to the NSS mapuid plugin getpwuid() entry point that are below this value
cause an immediate NOTFOUND status to be returned. This reduces
overhead for the standard local user accounts.
.BR NOTE :
The value must be less than the uid of the mapped account names below.
.TP
.I mapped_priv_user=NAME
This is the local account used as a template for privileged logins
(the RADIUS VSA
.BR shell:priv-lvl=15 )
was returned by the server.
This must be a local account (found in
.IR /etc/passwd ).
When a uid or name match is found, this account information is read from
.I /etc/passwd
and used as a template for the matching account. The default at installation is
.BR radius_priv_user .
It must match the privileged account name in
.IR pam_radius_auth (5)
for correct operation.
.TP
.I mapped_user=NAME
This is the local account used as a template for unprivileged logins
(either no privilege attribute was returned by the server, or the privilege level is
is in the range 0-14. This must be a local account (found in
.IR /etc/passwd ).
When a uid or name match is found, this account information is read from
.I /etc/passwd
and used as a template for the matching account. The default at installation is
.BR radius_user .
.P
For the
.I map_user
and
.I map_priv_user
accounts, the user information that is returned via the
.BR getpwnam (3)
group of account lookup routines has the
.B pw_name
field (user account name)
replaced with the original (login) name, and the original name is
inserted at the beginning of the
.B pw_gecos
field. The
.B pw_dir
(home directory)
field replaces the last component of the directory path with the original login
name.
.P
When changing the
.I map_user
or
.I map_priv_user
fields to a different account than the default, be sure the account exists in
.IR /etc/passwd ,
and that the account was created as disabled or locked (does not have a legal password, so
the
.I NAME
account can not be used for logins. When using
.IR adduser (8)
to create these accounts, use the
.B --disabled-login
argument to disable login for the account.
.P
At installation, the
.I map_user
user account
.B radius_user
is added to the
.I netshow
group so that the user can run NCLU
.B net show
commands. Similarly, the
.I map_priv_user
user account
.B radius_priv_user
is added to the
.I netedit
group so that the user can run NCLU configuration commands.
.SH "SEE ALSO"
.BR adduser (8),
.BR pam_radius_auth (8),
.BR nss_mapuser (8),
.BR nsswitch.conf (5),
.BR getpwuid (3),
.BR getpwnam (3),
.SH FILES
.I /etc/nss_mapuser.conf
- mapuser NSS plugin configuration parameters
.SH AUTHOR
Dave Olson <olson@cumulusnetworks.com>
|