Table of Contents
NSS Configuration
NSS (Name Service Switch) allows to the users stored in the VHFFS database to be recognized by the system, so they could act as standard unix users and can connect through SSH, use Subversion over SSH, or FTP with PAM/Unix accounting.
NSS with PostgreSQL
Using libnss-pgsql2
- Install debian packages
# apt-get install libnss-pgsql2
- Create config file
/etc/nss-pgsql.conf
like this :
# Replace '*' to 'x' if you want to use user shadow table connectionstring = hostaddr=127.0.0.1 dbname=vhffs user=vhffs password=yourpass connect_timeout=1 getpwnam = SELECT p.username, '*' AS passwd, p.username, p.homedir, p.shell, p.uid, p.gid FROM vhffs_passwd p WHERE p.username = $1 getpwuid = SELECT p.username, '*' AS passwd, p.username, p.homedir, p.shell, p.uid, p.gid FROM vhffs_passwd p WHERE p.uid = $1 allusers = SELECT p.username, '*' AS passwd, p.username, p.homedir, p.shell, p.uid, p.gid FROM vhffs_passwd p getgrnam = SELECT g.groupname, 'x' AS passwd, g.gid, ARRAY(SELECT p.username FROM vhffs_passwd p INNER JOIN vhffs_user_group ug ON ug.uid=p.uid WHERE ug.gid = g.gid) AS members FROM vhffs_groups g WHERE g.groupname = $1 getgrgid = SELECT g.groupname, 'x' AS passwd, g.gid, ARRAY(SELECT p.username FROM vhffs_passwd p INNER JOIN vhffs_user_group ug ON ug.uid=p.uid WHERE ug.gid = g.gid) AS members FROM vhffs_groups g WHERE g.gid = $1 allgroups = SELECT g.groupname, 'x' AS passwd, g.gid, ARRAY(SELECT p.username FROM vhffs_passwd p INNER JOIN vhffs_user_group ug ON ug.uid=p.uid WHERE ug.gid = g.gid) AS members FROM vhffs_groups g getgroupmembersbygid = SELECT p.username FROM vhffs_passwd p INNER JOIN vhffs_user_group ug ON ug.uid=p.uid WHERE ug.gid = $1 groups_dyn = SELECT ug.gid FROM vhffs_user_group ug INNER JOIN vhffs_passwd p ON p.uid=ug.uid WHERE p.username = $1 AND $2 = $2
- If you need users authentication, change passwd field from '*' to 'x' in passwd and then create config file
/etc/nss-pgsql-root.conf
like this
# this file must be readable for root only shadowconnectionstring = hostaddr=127.0.0.1 dbname=vhffs user=vhffs password=yourpass connect_timeout=1 shadowbyname = SELECT s.username, s.passwd, 15066 as lstchg, 0 AS min, 99999 AS max, 7 AS warn, 7 AS inact, 99999 AS expire, 0 AS flag FROM vhffs_shadow s WHERE s.username = $1 shadow = SELECT s.username, s.passwd, 15066 as lstchg, 0 AS min, 99999 AS max, 7 AS warn, 7 AS inact, 99999 AS expire, 0 AS flag FROM vhffs_shadow s
- Then edit the file
/etc/nsswitch.conf
and modify:
passwd: compat pgsql group: compat pgsql shadow: compat pgsql
You can check if it works this way:
getent group getent passwd getent shadow id username
/etc/nss-pgsql.conf
must be readable by anyone.
So, you have to create a new user on PostgreSQL that can only read vhffs_passwd, vhffs_groups and vhffs_user_group tables.
Using NSCD
NSCD is a software daemon that caches NSS data fetched from the SQL database, so it will speed up the stuff:
apt-get install nscd
You can edit /etc/nscd.conf
to change the cache timeout.
Using libnss-pgsql1
If you are still using nss-pgsql1, here is a configuration example that was used before:
# example configfile for PostgreSQL NSS module # these are entries as used with the BOFHMS tool (sf.net/projects/bofhms) host = localhost port = 5432 database = vhffs login = vhffs passwd = ******* passwdtable = vhffs_shadow grouptable = vhffs_groups # you can use anything postgres accepts as table expression groupmembertable = vhffs_passwd JOIN vhffs_user_group ON vhffs_passwd.uid=vhffs_user_group.uid JOIN vhffs_groups ON vhffs_groups.gid=vhffs_user_group.gid passwd_name = username passwd_passwd = passwd passwd_uid = uid passwd_dir = homedir passwd_shell = shell passwd_gecos = username passwd_gid = gid group_name = groupname group_passwd = passwd group_gid = gid group_member = username queryids = SELECT ug.gid FROM vhffs_passwd p INNER JOIN vhffs_user_group ug ON ug.uid = p.uid WHERE p.username = '%s' AND ug.gid != %d querypasswd = SELECT username, passwd, uid, gid, username, homedir, shell FROM vhffs_passwd querygroup = SELECT groupname, passwd, gid FROM vhffs_groups querymembers = SELECT u.username FROM vhffs_users u INNER JOIN vhffs_user_group ug ON ug.uid = u.uid WHERE ug.gid = %d
NSS with SQLite
As alternative, you can configure NSS using libnss-sqlite.
This way, you can easily duplicate the database on each host.
Advantages:
- Balance the name service lookup load on all hosts
- Remove the SPOF concerning the PostgreSQL server, if your server hosting the PostgreSQL server goes down, this is not going to have an impact anymore
- Filters can be added during the duplication process
- Users won't be able anymore to log in into your PostgreSQL server after reading the
/etc/nss-pgsql.conf
content - Faster, incredibly fast, about 10k to 100k times faster, because you are using a locally stored database which is going to fit and stay in filesystem kernel cache
- You don't need NSCD. Actually running NSCD will give you less performance.
Compiling and installing libnss-sqlite
First step, fetch the latest libnss-sqlite revision:
# svn co svn://svn.tuxfamily.org/svnroot/libnsssqlite/libnsssqlite/trunk libnss-sqlite # cd libnss-sqlite
Install required build dependencies:
# apt-get install sqlite3 libsqlite3-dev automake autoconf make libtool
Compile and install the stuff:
~/libnss-sqlite# ./bootstrap.sh && ./configure && make && make install
Build the SQLite databases :
# mkdir /var/db ~/libnss-sqlite# sqlite3 -init ./conf/passwd.sql /var/db/passwd.sqlite ~/libnss-sqlite# sqlite3 -init ./conf/shadow.sql /var/db/shadow.sqlite # chmod o-rwx /var/db/shadow.sqlite
Installing and updating the mirror script
Copy the NSS mirror script in some place.
# cp /usr/share/vhffs/backend/mirror/nss-mirror.pl /usr/local/sbin/ # chmod o-rwx /usr/local/sbin/nss-mirror.pl # chmod ug+x /usr/local/sbin/nss-mirror.pl
Edit the nss-mirror.pl
file with your VHFFS PostgreSQL database login and password.
Install required dependencies:
apt-get install libdbd-sqlite3-perl libdbd-pg-perl
Then run the nss-mirror.pl
script, it should work
# /usr/local/sbin/nss-mirror.pl
Check that the database is filled up:
# sqlite3 /var/db/passwd.sqlite SQLite version 3.7.3 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> SELECT * FROM passwd; 10001|10001|youruser||/bin/false|/data/home/y/o/youruser sqlite> SELECT * FROM groups; 10001|youruser| 10002|test| sqlite>
Then change the /etc/nsswitch.conf
file to use libnss-sqlite:
passwd: compat sqlite group: compat sqlite shadow: compat sqlite
Of course, you need to run from time to time the nss-mirror.pl
script to update the SQLite databases, we let you add the necessary cron entry.