FusionForge

Difference between revisions of "Configuration/NSS"

From FusionForge Wiki
Jump to: navigation, search
Line 105: Line 105:
 
</pre>
 
</pre>
  
=== Troubleshooting ===
+
== Troubleshooting ==
  
 
You can test the module with the following commands:
 
You can test the module with the following commands:

Revision as of 14:23, 11 January 2010

FusionForge provides native security services by coupling your Postgresql database with the Name Service Switch (NSS). To use this functionality you need to compile, install and configure a NSS module that will handle communication with your database.

This module is called libnss_pgsql, and is available from [1]. At the time of writing, the latest version is 1.4.0, which is used in this document and available for download here. Note that different versions might have different compilation and configuration requirements.

In this document we assume you are logged in as root on your server. We have successfully installed the module on CENTOS 5.0, but on different UNIX based systems the process should work in a similar way.

Preparation

First we need to download and unpack the library, and set up our installation directory. Note that we use the /opt directory.

$ cd /opt
$ wget http://pgfoundry.org/frs/download.php/605/libnss-pgsql-1.4.0.tgz
$ tar -xvvf libnss-pgsql-1.4.0.tgz
$ mkdir libnss_pgsql

Compilation and Installation

We start by compiling the library, using our installation directory as prefix and explicitly naming the directory where the configuration file will be stored. The latter needs to be done explicitly, since the library's defaults are not intuitive - at least in our case they weren't.

$ cd /opt/libnss-pgsql-1.4.0
$ ./configure --prefix=/opt/libnss_pgsql --sysconfdir=/etc
$ make
$ make install
$ make distclean

Since we have installed the library in /opt/libnss_pgsql, we'll have to adjust the global library path to make sure the system can find our module. This is generally done in the loader-deamon's configuration, found at /etc/ld.so.conf.

Include the following on the first line of this file:

/opt/libnss_pgsql/lib

After this we need to rebuild the loader-deamon's cache file by running:

$ ldconfig

Configuration

Now we need to configure both NSS and libnss_pgsql so that the former will utilize the latter, and the latter will be able to access the database and knows how to query your table structure.

NSS Config

For NSS to be able to utilize our new module, we need to add the module's name to its configuration. Convention tells us that it will look for a module (on the loader-deamon's path) by the name of libnss_[LIBNAME]. Therefor we will add pgsql as a module to use for passwd and group resolving. This is done in /etc/nsswitch.conf, at the passwd and group lines:

passwd: files pgsql
group: files pgsql

libnss_pgsql Config

The next step is to configure our module so that it can connect to our Postgresql server and understands FusionForge's table structure. Our compiled module includes a sample configuration that should reflect the parameters it expects and what it should return. This file can be found at /opt/libnss-pgsql-1.4.0/conf/nss-pgsql.conf.

First we copy that file to /etc - which we specified during configure in the --sysconfdir parameter:

$ cp /opt/libnss-pgsql-1.4.0/conf/nss-pgsql.conf /etc/nss-pgsql.conf

Now we dit our queries in this file. For us, the following works. You should be able to copy-paste it, fill in your password and have it working, providing you use all versions as specified above:

connectionstring        = hostaddr=127.0.0.1 dbname=gforge user=gforge password=XXX connect_timeout=1

# you can use anything postgres accepts as table expression

# Must return "usernames", 1 column, list
# getgroupmembersbygid    = SELECT username FROM passwd_table WHERE gid = $1
getgroupmembersbygid = SELECT user_name AS "username" FROM nss_usergroups WHERE gid = $1

# Must return passwd_name, passwd_passwd, passwd_gecos, passwd_dir, passwd_shell, passwd_uid, passwd_gid
# getpwnam        = SELECT username, passwd, gecos, homedir, shell, uid, gid FROM passwd_table WHERE username = $1
getpwnam = SELECT login as "passwd_name", passwd as "passwd_passwd", gecos as "passwd_gecos", '/ffusers/' || homedir as "passwd_dir", shell as "passwd_shell", uid as "passwd_uid", gid as "passwd_gid" FROM nss_passwd WHERE login = $1

# Must return passwd_name, passwd_passwd, passwd_gecos, passwd_dir, passwd_shell, passwd_uid, passwd_gid
# getpwuid        = SELECT username, passwd, gecos, homedir, shell, uid, gid FROM passwd_table WHERE uid = $1
getpwuid = SELECT login as "passwd_name", passwd as "passwd_passwd", gecos as "passwd_gecos", homedir as "passwd_dir", shell as "passwd_shell", uid as "passwd_uid", gid as "passwd_gid" FROM nss_passwd WHERE uid = $1

# All users
# allusers        = SELECT username, passwd, gecos, homedir, shell, uid, gid FROM passwd_table
allusers = SELECT login as "passwd_name", passwd as "passwd_passwd", gecos as "passwd_gecos", homedir as "passwd_dir", shell as "passwd_shell", uid as "passwd_uid", gid as "passwd_gid" FROM nss_passwd

# Must return group_name, group_passwd, group_gid
# getgrnam        = SELECT groupname, passwd, gid FROM group_table WHERE groupname = $1
getgrnam = SELECT name AS "group_name", '' AS "group_passwd", gid AS "group_pid" FROM nss_groups WHERE name = $1

# Must return group_name, group_passwd, group_gid
# getgrgid        = SELECT groupname, passwd, gid FROM group_table WHERE gid = $1
getgrgid = SELECT name AS "group_name", '' AS "group_passwd", gid AS "group_pid" FROM nss_groups WHERE gid = $1

# Must return gid.  %s MUST appear first for username match in where clause
# groups_dyn      = SELECT ug.gid FROM passwd_table JOIN usergroups USING (uid) where username = $1 and ug.gid <> $2
groups_dyn = SELECT nss_usergroups.gid FROM nss_passwd JOIN nss_usergroups USING (uid) WHERE user_name = $1 AND nss_usergroups.gid <> $2
# allgroups       = SELECT groupname, passwd, gid  FROM group_table
allgroups = SELECT name AS "group_name", '' AS "group_passwd", gid AS "group_pid" FROM nss_groups

Last but not least we need to make sure that FusionForge itself understands the type of authentication we want to use. This is important, because it needs to fill up the right tables in our database.

To achieve this we edit /etc/gforge/local.inc, find the $sys_account_manager_type variable and edit it to reflect:

$sys_account_manager_type = "pgsql";

Troubleshooting

You can test the module with the following commands:

$ getent passwd <fusionforge_username>
$ getent group siteadmin
$ getent shadow <fusionforge_username>

Should you encounter difficulties, try straceing the commands. For example:

$ strace getent group siteadmin