Additional Configuration Example #4
Comments
|
Also @mattsoftware, not sure if this is something you want to consider for the RPM spec or not, but figured since you have an interest in libnss-external, I should throw this your way too. |
|
Make a merge request on the README.md, and I'll just merge it directly; I can't seem to see an easy way to grab the raw text of your documentation. I find it rather astounding that anyone's taken an interest in this odd little project, but I'm glad you're finding it useful. |
|
this project is not odd, this is insanely great! This allows me to deal with NSS stuff just once and write adapters as I wish. |
|
Keep in mind; whatever adapter you write can't make any NSS calls itself :D |
|
@sbalneav your nss plugin is pretty useful and has a lot of versatility to it. It will probably gain more popularity after reducing some barrier to entry for it. I've been working on a small tool chain for one of the contributions I will throw a merge request for. I'm writing a wrapper to store users in cockroach db and some tools to manage this DB stored users. That in addition to some readme updates. Should be done by February I hope. |
Hey @sbalneav,
I took some time to document some steps for how I want to use libnss-external and I thought it would be useful to make it plugable. I'll probably circle around to the idea of hard coding this later when I have time, but for now I wanted to share this.
An overarching goal for me is to write some Go binaries I can slap into my configuration to read from CockroachDB instances locally, which are clustered across the fleet. Hopefully making a simpler and easier solution to deploy, which I think is better than dealing with FreeIPA or OpenLDAP that is also more tolerant to failures for some simple load balanced LAMP stacks.
You're welcome to add it to the documentation for other people to use if you like (it can be GNU licensed or public domain or whatever, I don't mind).
Regards,
Sam
Making libnss-external Pluggable
At the end of this exercise, any executables in
/etc/nss-external/passwd.exec.d,/etc/nss-external/group.exec.d, and/etc/nss-external/shadow.exec.dwill be ran to retrieve users.First we will create the necessary directories for libnss-external commands to run out of:
We need to create the entry commands that will find the executables in the directory and run them.
Create the /etc/nss-external/passwd script:
Create the /etc/nss-external/group script:
Create the /etc/nss-external/shadow script:
Make the scripts executable for libnss-external to run them:
Quick Testuser for the Pluggable Example
If you have setup the pluggable example, the following steps are simple scripts that NSS will run to retrieve information for the user
testuser. These are very basic in nature and should be extended to receive additional input for specific users with arguments as you would see forgetent.This creates
/etc/nss-external/passwd.exec.d/mypasswd01This creates
/etc/nss-external/group.exec.d/mygroup01This creates
/etc/nss-external/shadow.exec.d/myshadow01The files need the executable bit to run:
Now you should be able to run
getent passwdand seetestuseras an entry.Making libnss-external Security Implications
It is important to note that a module like libnss-external requires considering security due to it's nature of making NSS easily pluggable with scripts. If you have scripts reading from a database, those scripts should use a read-only user.
Any files related to shadow should only be readable/executable by root, only root needs this type of access.
Making these scripts and directories read/executable only after getting them setup how you want is going to help minimize impacts of any compromise.
The text was updated successfully, but these errors were encountered: