1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
.TH mapuser_nss 8
.\" Copyright 2017 Cumulus Networks, Inc. All rights reserved.
.SH NAME
libnss_mapname.so.2 \- NSS mapuser plugin
.br
libnss_mapuid.so.2 \- NSS mapuid plugin
.SH DESCRIPTION
These are the NSS mapuser plugins.
See the
.BR mapuser_nss (5)
manpage for information on configuration.
These plugins are intended to be used with protocols such as RADIUS that do not
provide enough information to define a linux account (uid, gid, home directory).
The traditional method was to add all RADIUS users to the local
.I /etc/passwd
file, or to enable them via other means such as LDAP.
These plugins allow RADIUS users to login with no configuration other than the
initial setup of the RADIUS client, and these plugins.
.PP
The plugins work by mapping user accounts to a named account in a configuration
file, and using the named account as a template for the requested account.
.PP
The named account (default is
.I radius_user)
must be present in
.IR /etc/passwd .
The
.B pw_name
field (user account name)
is replaced with the account name that is being looked up, and the original name is
inserted at the beginning of the
.B pw_gecos
field. The
.B pw_dir
(home directory)
field replaces the last component of the directory path with the original login
name.
For example, if the name being looked up is
.B daveolson
and the
named account in the configuration file is
.BR radius_user ,
and that entry in
.I /etc/passwd
is
.IP
.B radius_user:x:1017:1002:radius user,,,:/home/radius_user:/bin/bash
.PP
then the matching line returned by
.I getent passwd daveolson
would be
.IP
.B daveolson:x:1017:1002:daveolson mapped user:/home/daveolson:/bin/bash
.PP
The matching lookup on the uid will only be successful if
.B daveolson
is logged in, because it checks a flat file database that is created when
the mapped user logs in.
.PP
When multiple users are logged in at the same time,
the uid lookup will return the first matching account name.
This is similar to having to multiple accounts in the
.I /etc/passwd
file with the same UID.
.PP
There are two separate plugins,
.B libnss_mapname
for user account names
.RI ( getpwnam() (3)),
and
.B libnss_mapuid
for uid
.RI ( getpwuid() (3)),
Two separate plugins are required.
.PP
The name lookup
.B mapuser
must be the last method used (last plugin on the
.B passwd
database), because it will always produce a successful lookup on
any user account name, unless there are configuration or other errors.
.PP
The uid lookup
.B mapuid
must be the first method used (first plugin on the
.B passwd
database), because the uid will always match a local account from
.IR /etc/passwd ,
any user account name, unless there are configuration or other errors.
.PP
The flat file database is created using the
.B pam_script
plugin. In addition to creating and deleting files at session start and
end, the open script will also create the home directory using
.IR mkhomedir_helper .
.SH "SEE ALSO"
.BR adduser (8),
.BR mkhomedir_helper (8),
.BR pam_radius_auth (8),
.BR pam_script (8),
.BR mapuser_nss (5),
.BR nsswitch.conf (5),
.BR getpwuid (3),
.BR getpwnam (3),
.BR getent (1).
.SH FILES
.I /etc/nss_mapuser.conf
- mapuser NSS plugin configuration parameters.
.br
.I /run/mapuser/SESSION_NUMBER
- the files containing the original uid and username for the account with linux session
.IR SESSION_NUMBER .
.SH AUTHOR
Dave Olson <olson@cumulusnetworks.com>
|
