mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

445 update pam nsswitch md (#451)

Browse source
This commit is contained in:
vcwai 2021-05-24 07:13:41 +08:00 committed by GitHub
parent 6ef4ad616a
commit 2f1ce3ed71
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 23 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
FAQ.md
View file

@ -101,4 +101,16 @@ Additionally, it's worth noting that most of these other database would violate
desires to keep the language as Rust and may require external configuration or daemons which
may not be possible to test.
## How PAM/nsswitch Work
Linux and BSD clients can resolve identities from Kanidm into accounts via PAM and nsswitch.
Name Service Switch (NSS) is used for connecting the computers with different data sources to resolve name-service information.
By adding the nsswitch libraries to /etc/nsswitch.conf, we are telling NSS to lookup password info and group identities in Kanidm:
passwd: compat kanidm
group: compat kanidm
When a service like sudo, sshd, su etc. wants to authenticate someone, it opens the pam.d config of that service,
then performs authentication according to the modules defined in the pam.d config.
For example, if you run `ls -al /etc/pam.d /usr/etc/pam.d` in SUSE, you can see the services and their respective pam.d config.

2
kanidm_book/src/installing_the_server.md
View file

@ -107,7 +107,7 @@ for example) then you can validate with this command.
If these verifications pass you can now use these certificates with Kanidm. To put the certificates
in place you can use a shell container that mounts the volume such as:
docker run --rm -i -t -v kanidmd:/data -v /my/host/path/work:/work opensuse/leap:latest cp /work/* /data/
docker run --rm -i -t -v kanidmd:/data -v /my/host/path/work:/work opensuse/leap:latest /bin/sh -c "cp /work/* /data/"
OR for a shell into the volume:

12
kanidm_book/src/pam_and_nsswitch.md
View file

@ -39,7 +39,9 @@ You can check the privileged tasks daemon is running with
> it provides supporting kanidm's capabilities.
Both unixd daemons use the connection configuration from /etc/kanidm/config. This is the covered in
client_tools. You can also configure some details of the unixd daemons in /etc/kanidm/unixd.
[client_tools](./client_tools.md#kandim-configuration).
You can also configure some unixd specific options with the file /etc/kanidm/unixd.
pam_allowed_login_groups = ["posix_group"]
default_shell = "/bin/bash"
@ -100,7 +102,9 @@ When the daemon is running you can add the nsswitch libraries to /etc/nsswitch.c
passwd: compat kanidm
group: compat kanidm
You can then test that a posix extended user is able to be resolved with:
You can [create a user](./accounts_and_groups.md#creating-accounts) then [enable posix feature on the user](./posix_accounts.md#enabling-posix-attributes-on-accounts).
You can then test that the posix extended user is able to be resolved with:
$ getent passwd <account name>
$ getent passwd testunix
@ -112,6 +116,10 @@ You can also do the same for groups.
$ getent group testgroup
testgroup:x:2439676479:testunix
> **HINT** Remember to also create unix password with something like
> `kanidm account posix set_password --name idm_admin demo_user`.
> Otherwise there will be no credential for the account to authenticate.
## PAM
> **WARNING:** Modifications to pam configuration *may* leave your system in a state