NSS Configuration

NSS (Name Service Switch) allows to the users stored in the VHFFS database to be recognized by the system, so they could act as standard unix users and can connect through SSH, use Subversion over SSH, or FTP with PAM/Unix accounting.

NSS with PostgreSQL

Using libnss-pgsql2

  • Install debian packages
# apt-get install libnss-pgsql2
  • Create config file /etc/nss-pgsql.conf like this :
# Replace '*' to 'x' if you want to use user shadow table

connectionstring        = hostaddr=127.0.0.1 dbname=vhffs user=vhffs password=yourpass connect_timeout=1  
getpwnam        = SELECT p.username, '*' AS passwd, p.username, p.homedir, p.shell, p.uid, p.gid FROM vhffs_passwd p WHERE p.username = $1
getpwuid        = SELECT p.username, '*' AS passwd, p.username, p.homedir, p.shell, p.uid, p.gid FROM vhffs_passwd p WHERE p.uid = $1
allusers        = SELECT p.username, '*' AS passwd, p.username, p.homedir, p.shell, p.uid, p.gid FROM vhffs_passwd p
getgrnam        = SELECT g.groupname, 'x' AS passwd, g.gid, ARRAY(SELECT p.username FROM vhffs_passwd p INNER JOIN vhffs_user_group ug ON ug.uid=p.uid WHERE ug.gid = g.gid) AS members FROM vhffs_groups g WHERE g.groupname = $1
getgrgid        = SELECT g.groupname, 'x' AS passwd, g.gid, ARRAY(SELECT p.username FROM vhffs_passwd p INNER JOIN vhffs_user_group ug ON ug.uid=p.uid WHERE ug.gid = g.gid) AS members FROM vhffs_groups g WHERE g.gid = $1
allgroups       = SELECT g.groupname, 'x' AS passwd, g.gid, ARRAY(SELECT p.username FROM vhffs_passwd p INNER JOIN vhffs_user_group ug ON ug.uid=p.uid WHERE ug.gid = g.gid) AS members FROM vhffs_groups g
getgroupmembersbygid    = SELECT p.username FROM vhffs_passwd p INNER JOIN vhffs_user_group ug ON ug.uid=p.uid WHERE ug.gid = $1
groups_dyn      = SELECT ug.gid FROM vhffs_user_group ug INNER JOIN vhffs_passwd p ON p.uid=ug.uid WHERE p.username = $1 AND $2 = $2
  • If you need users authentication, change passwd field from '*' to 'x' in passwd and then create config file /etc/nss-pgsql-root.conf like this
# this file must be readable for root only

shadowconnectionstring        = hostaddr=127.0.0.1 dbname=vhffs user=vhffs password=yourpass connect_timeout=1
shadowbyname = SELECT s.username, s.passwd, 15066 as lstchg, 0 AS min, 99999 AS max, 7 AS warn, 7 AS inact, 99999 AS expire, 0 AS flag FROM vhffs_shadow s WHERE s.username = $1
shadow       = SELECT s.username, s.passwd, 15066 as lstchg, 0 AS min, 99999 AS max, 7 AS warn, 7 AS inact, 99999 AS expire, 0 AS flag FROM vhffs_shadow s
  • Then edit the file /etc/nsswitch.conf and modify:
passwd:         compat  pgsql
group:          compat  pgsql
shadow:         compat  pgsql

You can check if it works this way:

getent group
getent passwd
getent shadow
id username

Of course those examples are going to work and are a good start, however they are highly insecure. This way you are giving to any user on your system rights to fetch and modify your VHFFS database because /etc/nss-pgsql.conf must be readable by anyone.

So, you have to create a new user on PostgreSQL that can only read vhffs_passwd, vhffs_groups and vhffs_user_group tables.

If you need authentication, this is a good idea to filter only activated users, so that users not created yet or disabled cannot log in. You can do this by adding a join on vhffs_object to vhffs_passwd and vhffs_shadow views.

Using NSCD

NSCD is a software daemon that caches NSS data fetched from the SQL database, so it will speed up the stuff:

apt-get install nscd

You can edit /etc/nscd.conf to change the cache timeout.

Using libnss-pgsql1

If you are still using nss-pgsql1, here is a configuration example that was used before:

# example configfile for PostgreSQL NSS module

# these are entries as used with the BOFHMS tool (sf.net/projects/bofhms)
host            = localhost
port            = 5432
database        = vhffs
login           = vhffs
passwd          = *******
passwdtable     = vhffs_shadow
grouptable      = vhffs_groups

# you can use anything postgres accepts as table expression
groupmembertable = vhffs_passwd JOIN vhffs_user_group ON vhffs_passwd.uid=vhffs_user_group.uid JOIN vhffs_groups
ON vhffs_groups.gid=vhffs_user_group.gid

passwd_name     = username
passwd_passwd   = passwd
passwd_uid      = uid
passwd_dir      = homedir
passwd_shell    = shell

passwd_gecos    = username
passwd_gid      = gid
group_name      = groupname
group_passwd    = passwd
group_gid       = gid
group_member    = username

queryids = SELECT ug.gid FROM vhffs_passwd p INNER JOIN vhffs_user_group ug ON ug.uid = p.uid WHERE p.username = '%s' AND ug.gid != %d
querypasswd = SELECT username, passwd, uid, gid, username, homedir, shell FROM vhffs_passwd
querygroup = SELECT groupname, passwd, gid FROM vhffs_groups
querymembers = SELECT u.username FROM vhffs_users u INNER JOIN vhffs_user_group ug ON ug.uid = u.uid WHERE ug.gid = %d 

NSS with SQLite

As alternative, you can configure NSS using libnss-sqlite.

This way, you can easily duplicate the database on each host.

Advantages:

  • Balance the name service lookup load on all hosts
  • Remove the SPOF concerning the PostgreSQL server, if your server hosting the PostgreSQL server goes down, this is not going to have an impact anymore
  • Filters can be added during the duplication process
  • Users won't be able anymore to log in into your PostgreSQL server after reading the /etc/nss-pgsql.conf content
  • Faster, incredibly fast, about 10k to 100k times faster, because you are using a locally stored database which is going to fit and stay in filesystem kernel cache
  • You don't need NSCD. Actually running NSCD will give you less performance.

Compiling and installing libnss-sqlite

First step, fetch the latest libnss-sqlite revision:

# svn co svn://svn.tuxfamily.org/svnroot/libnsssqlite/libnsssqlite/trunk libnss-sqlite
# cd libnss-sqlite

Install required build dependencies:

# apt-get install sqlite3 libsqlite3-dev automake autoconf make libtool

Compile and install the stuff:

~/libnss-sqlite# ./bootstrap.sh && ./configure && make && make install

Build the SQLite databases :

# mkdir /var/db
~/libnss-sqlite# sqlite3 -init ./conf/passwd.sql /var/db/passwd.sqlite
~/libnss-sqlite# sqlite3 -init ./conf/shadow.sql /var/db/shadow.sqlite
# chmod o-rwx /var/db/shadow.sqlite

Installing and updating the mirror script

Copy the NSS mirror script in some place.

# cp /usr/share/vhffs/backend/mirror/nss-mirror.pl /usr/local/sbin/
# chmod o-rwx /usr/local/sbin/nss-mirror.pl 
# chmod ug+x /usr/local/sbin/nss-mirror.pl

Edit the nss-mirror.pl file with your VHFFS PostgreSQL database login and password.

Install required dependencies:

apt-get install libdbd-sqlite3-perl libdbd-pg-perl

Then run the nss-mirror.pl script, it should work

# /usr/local/sbin/nss-mirror.pl

Check that the database is filled up:

# sqlite3 /var/db/passwd.sqlite 
SQLite version 3.7.3
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> SELECT * FROM passwd;
10001|10001|youruser||/bin/false|/data/home/y/o/youruser
sqlite> SELECT * FROM groups;
10001|youruser|
10002|test|
sqlite> 

Then change the /etc/nsswitch.conf file to use libnss-sqlite:

passwd:         compat sqlite
group:          compat sqlite
shadow:         compat sqlite

Of course, you need to run from time to time the nss-mirror.pl script to update the SQLite databases, we let you add the necessary cron entry.

As you may have noticed, the mirror script don't need the VHFFS API to run, so you don't need to install VHFFS on hosts that only need a name service working (Web servers, FTP, …).

doc/installationguide/basic-nss.txt · Last modified: 2013/08/09 12:32 by gradator
Recent changes RSS feed Creative Commons License Donate Minima Template by Wikidesign Driven by DokuWiki