summaryrefslogtreecommitdiffstats
path: root/README.adoc
blob: 29e3b3f2781f5f5aa36dea498e97cbeabc12a049 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# `pamldapd` Simple LDAP server, uses PAM as backend

## Getting Started

### Download and Build

. Clone the repository

  $ git clone http://ni.4a.si/sijanec/pamldapd
  $ cd pamldapd

. Build

  $ go build

. Install to PATH directory (optional)

  copy binary to bin directory:
  # install pamldapd /usr/local/bin/pamldapd

. Prepare configuration file

  $ cp pamldapd.json.example pamldapd.json
  $ vi pamldapd.json

### Start `pamldapd`

On some distributions, root privilege is required for checking user passwords with PAM, but it is not required on at least Debian and Gentoo, where anyone may check passwords of anyone.

 $ pamldapd -h
 
 Usage of pamldapd:
   -c string
         Configuration file (default "pamldapd.json")
   -l string
         Log file (STDOUT if blank)

Start using configuration file, puts messages to STDOUT

 $ pamldapd -c pamldapd.json
 
Start using configuration file, puts messages to a log file

 $ pamldapd -c pamldapd.json -l /var/log/pamldapd.log
 
## Configuration

Example Configuration:

 {
         "listen": "127.0.0.1:10389",
         "pamServicename": "password-auth",
         "peopledn": "ou=people,dc=example,dc=com",
         "groupsdn": "ou=groups,dc=example,dc=com",
         "bindadmindn": "uid=user,dc=example,dc=com",
         "bindadminpassword": "password"
 }

`listen` ::
Listen IP address and port like `0.0.0.0:0000`

You may optionally listen on a UNIX socket by setting the JSON configuration key "network" to "unix" and "listen" to "/path/to/your.sock". You may actually listen on any network that is supported by https://pkg.go.dev/net#Listen -- When you're listening on a UNIX socket, you can use the setgid bit of the directory that will contain your socket file. This way, the socket file will preserve the group ownership of the directory. You can also set the umask to decide who can connect to your socket and who can't. Just make sure that you create the logfile beforehand so that the logfile has different (perhaps more strict) permissions.

`pamservicename` ::
PAM authentication requires service-name like `login`, `su`. You can choose existing service or create a new one. Existing services can be seen typing `ls /etc/pam.d/`

`peopledn` ::
Specify base distinguish name of users.

`groupsdn` ::
Specify base distinguish name of groups.

`bindadmindn` ::
Specify distinguish name of administrator account.

`bindadminpassword` ::
Specify password of administrator account.

## LDAP tree structure example

Tree structure of example configuration file `pamldapd.json.example`

 dc=com
     dc=example
         ou=people
             uid=user
                 objectClass=posixAccount
                 cn=user
                 uidNumber=501
                 gidNumber=501
                 homeDirectory=/home/user
                 givenName=User
             uid=user2
                 objectClass=posixAccount
                 :
             :
         ou=groups
             cn=user
                 objectClass=posixGroup
                 cn=user
                 gidNumber=501
                 memberUid=501
             cn=user2
                 objectClass=posixGroup
                 :
             :
         uid=adminuser

## Restrictions

Because `pamldapd` uses PAM as authentication, some restrictions exist.

* For search operations, filter can be one of those two patterns: `(&(uid=user)(objectClass=posixAccount))` or `(&(memberUid=user)(objectClass=posixgroup))`
** `objectclass` must be included, so either `(objectclass=posixAccount)` or `(objectclass=posixGroup)`. Different queries, for example `(objectclass=*)`, will fail.
** You can search for a single record by specifying username attribute. Enumeration is not supported.

* When searching, entries do not have the `unixpassword` attribute.