1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
# `pamldapd` Simple LDAP server, uses PAM as backend
## Getting Started
### Download and Build
. Clone a repository
$ git clone https://github.com/eisin/pamldapd
$ cd pamldapd
. Build
$ yum install -y gcc golang pam-devel
$ go get github.com/msteinert/pam
$ go get github.com/nmcclain/asn1-ber
$ go get github.com/nmcclain/ldap
$ go build -a src/pamldapd.go
. Install to PATH directory (optional)
copy x86-64 binary to bin directory:
$ sudo install pamldapd-x86-64 /usr/bin/pamldapd
. Prepare configuration file
$ cp pamldapd.json.example pamldapd.json
$ vi pamldapd.json
### Start `pamldapd`
While pamldapd uses PAM authentication, root privilege is required.
$ pamldapd -h
Usage of pamldapd:
-c string
Configuration file (default "pamldapd.json")
-l string
Log file (STDOUT if blank)
Start using configuration file, puts messages to STDOUT
# pamldapd -c pamldapd.json
Start using configuration file, puts messages to a log file
# pamldapd -c pamldapd.json -l /var/log/pamldapd.log
## Configuration
Example Configuration:
{
"listen": "127.0.0.1:10389",
"pamServicename": "password-auth",
"peopledn": "ou=people,dc=example,dc=com",
"groupsdn": "ou=groups,dc=example,dc=com",
"bindadmindn": "uid=user,dc=example,dc=com",
"bindadminpassword": "password"
}
`listen` ::
Listen IP address and port like `0.0.0.0:0000`
You may optionally listen on a UNIX socket by setting the JSON configuration key "network" to "unix" and "listen" to "/path/to/your.sock". You may actually listen on any network that is supported by https://pkg.go.dev/net#Listen
`pamservicename` ::
PAM authentication requires service-name like `login`, `su`. You can choose existing service or create a new. Existing service can be seen typing `ls /etc/pam.d/`
For more service, see http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html
`peopledn` ::
Specify base distinguish name of users.
`groupsdn` ::
Specify base distinguish name of groups.
`bindadmindn` ::
Specify distinguish name of administrator account.
`bindadminpassword` ::
Specify password of administrator account.
## LDAP tree structure example
Tree structure of example configuration file `pamldapd.json.example`
dc=com
dc=example
ou=people
uid=user
objectClass=posixAccount
cn=user
uidNumber=501
gidNumber=501
homeDirectory=/home/user
givenName=User
uid=user2
objectClass=posixAccount
:
:
ou=groups
cn=user
objectClass=posixGroup
cn=user
gidNumber=501
memberUid=501
cn=user2
objectClass=posixGroup
:
:
uid=adminuser
## Restriction
While `pamldapd` uses PAM as authentication, some restrictions exist.
* When search operations, filter can be almost two patterns: `(&(uid=user)(objectClass=posixAccount))` or `(&(memberUid=user)(objectClass=posixgroup))`
** Must be included `objectclass` , like `(objectclass=posixAccount)` or `(objectclass=posixGroup)` . Other than that, for example `(objectclass=*)`, it will fail.
** Must be identified one record by specifying username attribute. Enumeration is not supported.
* When search operation, an entry does not have `unixpassword` attribute.
|
