diff options
Diffstat (limited to 'README.adoc')
-rw-r--r-- | README.adoc | 35 |
1 files changed, 15 insertions, 20 deletions
diff --git a/README.adoc b/README.adoc index efd59d3..29e3b3f 100644 --- a/README.adoc +++ b/README.adoc @@ -4,23 +4,19 @@ ### Download and Build -. Clone a repository +. Clone the repository - $ git clone https://github.com/eisin/pamldapd + $ git clone http://ni.4a.si/sijanec/pamldapd $ cd pamldapd . Build - $ yum install -y gcc golang pam-devel - $ go get github.com/msteinert/pam - $ go get github.com/nmcclain/asn1-ber - $ go get github.com/nmcclain/ldap - $ go build -a src/pamldapd.go + $ go build . Install to PATH directory (optional) - copy x86-64 binary to bin directory: - $ sudo install pamldapd-x86-64 /usr/bin/pamldapd + copy binary to bin directory: + # install pamldapd /usr/local/bin/pamldapd . Prepare configuration file @@ -29,7 +25,7 @@ ### Start `pamldapd` -While pamldapd uses PAM authentication, root privilege is required. +On some distributions, root privilege is required for checking user passwords with PAM, but it is not required on at least Debian and Gentoo, where anyone may check passwords of anyone. $ pamldapd -h @@ -41,11 +37,11 @@ While pamldapd uses PAM authentication, root privilege is required. Start using configuration file, puts messages to STDOUT - # pamldapd -c pamldapd.json + $ pamldapd -c pamldapd.json Start using configuration file, puts messages to a log file - # pamldapd -c pamldapd.json -l /var/log/pamldapd.log + $ pamldapd -c pamldapd.json -l /var/log/pamldapd.log ## Configuration @@ -66,8 +62,7 @@ Listen IP address and port like `0.0.0.0:0000` You may optionally listen on a UNIX socket by setting the JSON configuration key "network" to "unix" and "listen" to "/path/to/your.sock". You may actually listen on any network that is supported by https://pkg.go.dev/net#Listen -- When you're listening on a UNIX socket, you can use the setgid bit of the directory that will contain your socket file. This way, the socket file will preserve the group ownership of the directory. You can also set the umask to decide who can connect to your socket and who can't. Just make sure that you create the logfile beforehand so that the logfile has different (perhaps more strict) permissions. `pamservicename` :: -PAM authentication requires service-name like `login`, `su`. You can choose existing service or create a new. Existing service can be seen typing `ls /etc/pam.d/` -For more service, see http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html +PAM authentication requires service-name like `login`, `su`. You can choose existing service or create a new one. Existing services can be seen typing `ls /etc/pam.d/` `peopledn` :: Specify base distinguish name of users. @@ -111,12 +106,12 @@ Tree structure of example configuration file `pamldapd.json.example` : uid=adminuser -## Restriction +## Restrictions -While `pamldapd` uses PAM as authentication, some restrictions exist. +Because `pamldapd` uses PAM as authentication, some restrictions exist. -* When search operations, filter can be almost two patterns: `(&(uid=user)(objectClass=posixAccount))` or `(&(memberUid=user)(objectClass=posixgroup))` -** Must be included `objectclass` , like `(objectclass=posixAccount)` or `(objectclass=posixGroup)` . Other than that, for example `(objectclass=*)`, it will fail. -** Must be identified one record by specifying username attribute. Enumeration is not supported. +* For search operations, filter can be one of those two patterns: `(&(uid=user)(objectClass=posixAccount))` or `(&(memberUid=user)(objectClass=posixgroup))` +** `objectclass` must be included, so either `(objectclass=posixAccount)` or `(objectclass=posixGroup)`. Different queries, for example `(objectclass=*)`, will fail. +** You can search for a single record by specifying username attribute. Enumeration is not supported. -* When search operation, an entry does not have `unixpassword` attribute. +* When searching, entries do not have the `unixpassword` attribute. |