diff --git a/FAQ.md b/FAQ.md index cc33119ed..604da6c95 100644 --- a/FAQ.md +++ b/FAQ.md @@ -101,4 +101,16 @@ Additionally, it's worth noting that most of these other database would violate desires to keep the language as Rust and may require external configuration or daemons which may not be possible to test. +## How PAM/nsswitch Work +Linux and BSD clients can resolve identities from Kanidm into accounts via PAM and nsswitch. + +Name Service Switch (NSS) is used for connecting the computers with different data sources to resolve name-service information. +By adding the nsswitch libraries to /etc/nsswitch.conf, we are telling NSS to lookup password info and group identities in Kanidm: + + passwd: compat kanidm + group: compat kanidm + +When a service like sudo, sshd, su etc. wants to authenticate someone, it opens the pam.d config of that service, +then performs authentication according to the modules defined in the pam.d config. +For example, if you run `ls -al /etc/pam.d /usr/etc/pam.d` in SUSE, you can see the services and their respective pam.d config. diff --git a/kanidm_book/src/installing_the_server.md b/kanidm_book/src/installing_the_server.md index 85c7e98b3..57b4fd48c 100644 --- a/kanidm_book/src/installing_the_server.md +++ b/kanidm_book/src/installing_the_server.md @@ -107,7 +107,7 @@ for example) then you can validate with this command. If these verifications pass you can now use these certificates with Kanidm. To put the certificates in place you can use a shell container that mounts the volume such as: - docker run --rm -i -t -v kanidmd:/data -v /my/host/path/work:/work opensuse/leap:latest cp /work/* /data/ + docker run --rm -i -t -v kanidmd:/data -v /my/host/path/work:/work opensuse/leap:latest /bin/sh -c "cp /work/* /data/" OR for a shell into the volume: diff --git a/kanidm_book/src/pam_and_nsswitch.md b/kanidm_book/src/pam_and_nsswitch.md index fa1320a85..2a6b8f0f7 100644 --- a/kanidm_book/src/pam_and_nsswitch.md +++ b/kanidm_book/src/pam_and_nsswitch.md @@ -39,7 +39,9 @@ You can check the privileged tasks daemon is running with > it provides supporting kanidm's capabilities. Both unixd daemons use the connection configuration from /etc/kanidm/config. This is the covered in -client_tools. You can also configure some details of the unixd daemons in /etc/kanidm/unixd. +[client_tools](./client_tools.md#kandim-configuration). + +You can also configure some unixd specific options with the file /etc/kanidm/unixd. pam_allowed_login_groups = ["posix_group"] default_shell = "/bin/bash" @@ -100,7 +102,9 @@ When the daemon is running you can add the nsswitch libraries to /etc/nsswitch.c passwd: compat kanidm group: compat kanidm -You can then test that a posix extended user is able to be resolved with: +You can [create a user](./accounts_and_groups.md#creating-accounts) then [enable posix feature on the user](./posix_accounts.md#enabling-posix-attributes-on-accounts). + +You can then test that the posix extended user is able to be resolved with: $ getent passwd $ getent passwd testunix @@ -112,6 +116,10 @@ You can also do the same for groups. $ getent group testgroup testgroup:x:2439676479:testunix +> **HINT** Remember to also create unix password with something like +> `kanidm account posix set_password --name idm_admin demo_user`. +> Otherwise there will be no credential for the account to authenticate. + ## PAM > **WARNING:** Modifications to pam configuration *may* leave your system in a state