summaryrefslogblamecommitdiffstats
path: root/README.adoc
blob: ab692d8c174a7dd6f0f7a662698f52a960df60d2 (plain) (tree)
1
2
3
4
5
6
7
8
9
10
11
                                                    
 

                  






                                               
       






                                       























                                                                   
                            


                                                           
                                                     
































































                                                                                                                                                                  

                                                                     

                                                                                                                                                                   
                                                                                                
 
                                                                         
# `pamldapd` Simple LDAP server, uses PAM as backend

## Getting Started

### Download and Build

. Clone a repository

  $ git clone https://github.com/eisin/pamldapd
  $ cd pamldapd

. Build

  $ yum install -y gcc golang pam-devel
  $ go get github.com/msteinert/pam
  $ go get github.com/nmcclain/asn1-ber
  $ go get github.com/nmcclain/ldap
  $ go build -a src/pamldapd.go

. Install to PATH directory (optional)

  copy x86-64 binary to bin directory:
  $ sudo install pamldapd-x86-64 /usr/bin/pamldapd

. Prepare configuration file

  $ cp pamldapd.json.example pamldapd.json
  $ vi pamldapd.json

### Start `pamldapd`

While pamldapd uses PAM authentication, root privilege is required.

 $ pamldapd -h
 
 Usage of pamldapd:
   -c string
         Configuration file (default "pamldapd.json")
   -l string
         Log file (STDOUT if blank)

Start using configuration file, puts messages to STDOUT

 # pamldapd -c pamldapd.json
 
Start using configuration file, puts messages to a log file

 # pamldapd -c pamldapd.json -l /var/log/pamldapd.log
 
## Configuration

Example Configuration:

 {
         "listen": "127.0.0.1:10389",
         "pamServicename": "password-auth",
         "peopledn": "ou=people,dc=example,dc=com",
         "groupsdn": "ou=groups,dc=example,dc=com",
         "bindadmindn": "uid=user,dc=example,dc=com",
         "bindadminpassword": "password"
 }

`listen` ::
Listen IP address and port like `0.0.0.0:0000`

`pamservicename` ::
PAM authentication requires service-name like `login`, `su`. You can choose existing service or create a new. Existing service can be seen typing `ls /etc/pam.d/`
For more service, see http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html

`peopledn` ::
Specify base distinguish name of users.

`groupsdn` ::
Specify base distinguish name of groups.

`bindadmindn` ::
Specify distinguish name of administrator account.

`bindadminpassword` ::
Specify password of administrator account.

## LDAP tree structure example

Tree structure of example configuration file `pamldapd.json.example`

 dc=com
     dc=example
         ou=people
             uid=user
                 objectClass=posixAccount
                 cn=user
                 uidNumber=501
                 gidNumber=501
                 homeDirectory=/home/user
                 givenName=User
             uid=user2
                 objectClass=posixAccount
                 :
             :
         ou=groups
             cn=user
                 objectClass=posixGroup
                 cn=user
                 gidNumber=501
                 memberUid=501
             cn=user2
                 objectClass=posixGroup
                 :
             :
         uid=adminuser

## Restriction

While `pamldapd` uses PAM as authentication, some restrictions exist.

* When search operations, filter can be almost two patterns: `(&(uid=user)(objectClass=posixAccount))` or `(&(memberUid=user)(objectClass=posixgroup))`
** Must be included `objectclass` , like `(objectclass=posixAccount)` or `(objectclass=posixGroup)` . Other than that, for example `(objectclass=*)`, it will fail.
** Must be identified one record by specifying username attribute. Enumeration is not supported.

* When search operation, an entry does not have `unixpassword` attribute.