Sophie

Sophie

distrib > Mageia > 7 > armv7hl > media > core-release > by-pkgid > 9f7c3bc318f0e910c57eb4772665f20d > files > 8

pwdb-conf-0.62-18.mga7.armv7hl.rpm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.20">
 <TITLE>The PWDB Library Guide: Supported modules</TITLE>
 <LINK HREF="pwdb-5.html" REL=next>
 <LINK HREF="pwdb-3.html" REL=previous>
 <LINK HREF="pwdb.html#toc4" REL=contents>
</HEAD>
<BODY>
<A HREF="pwdb-5.html">Next</A>
<A HREF="pwdb-3.html">Previous</A>
<A HREF="pwdb.html#toc4">Contents</A>
<HR>
<H2><A NAME="s4">4.</A> <A HREF="pwdb.html#toc4">Supported modules</A></H2>

<P>PLEASE NOTE. Currently few group functions have been implemented.</P>

<H2><A NAME="ss4.1">4.1</A> <A HREF="pwdb.html#toc4.1">UNIX module</A>
</H2>

<P>This section documents the current state of the UNIX module. From the
point of view of the application, it is named "unix" and has the
<CODE>pwdb_type</CODE> <CODE>PWDB_UNIX</CODE>.</P>

<P>Entries supported by the "user" class of the UNIX module are as follows:
<DL>
<DT><B><CODE>user</CODE></B><DD><P>- username</P>
<DT><B><CODE>uid</CODE></B><DD><P>- user-id</P>
<DT><B><CODE>gid</CODE></B><DD><P>- group-id</P>
<DT><B><CODE>passwd</CODE></B><DD><P>- encrypted password</P>
<DT><B><CODE>defer_pass</CODE></B><DD><P>- "U" unless set by other database</P>
<DT><B><CODE>gecos</CODE></B><DD><P>- user information</P>
<DT><B><CODE>dir</CODE></B><DD><P>- home directory</P>
<DT><B><CODE>shell</CODE></B><DD><P>- shell executable</P>
</DL>
</P>

<P>Entries supported by the "group" class of the UNIX module are as follows:
<DL>
<DT><B><CODE>group</CODE></B><DD><P>- username</P>
<DT><B><CODE>gid</CODE></B><DD><P>- group-id</P>
<DT><B><CODE>passwd</CODE></B><DD><P>- encrypted password</P>
<DT><B><CODE>users</CODE></B><DD><P>- text list of user names separated by
commas</P>
</DL>
</P>

<P>The <CODE>pwdb_request()</CODE> function call is only supported for the
"group" class. The two entries that may be requested are:
<DL>
<DT><B><CODE>groups</CODE></B><DD><P>- text list of group names separated by
commas </P>
<DT><B><CODE>groupids</CODE></B><DD><P>- array of <CODE>gid_t</CODE> values that
contain the numerical form of the "groups" entry.</P>
</DL>

Note, for such requests to be honored the name of the user should be
contained in the <CODE>pwdb **</CODE> argument prior to the
<CODE>pwdb_request()</CODE> call.</P>

<H2><A NAME="ss4.2">4.2</A> <A HREF="pwdb.html#toc4.2">Shadow module</A>
</H2>

<P>This section documents the current implementation of the <EM>shadow</EM>
database module.</P>

<P>The <EM>shadow</EM> module does not make any use of the <CODE>id</CODE>
parameter. Since the shadow database does not contain such an entry,
the only way of identifying a user is with a <CODE>name</CODE> argument.
However, an <CODE>id</CODE> based lookup is possible, if the <CODE>shadow</CODE>
database is searched after a database that contains a user-uid
mapping. In this case the ``<CODE>user</CODE>'' entry in the partially
built <CODE>pwdb</CODE> structure is used to locate the appropriate entry in
the shadow file.</P>

<P>The shadow module is designed to work in conjunction with a database
that provides the standard <CODE>user-uid</CODE> mapping.  It should be
noted that it does not provide sufficient information to support a
user login session.</P>

<P>Entries supported by the "user" class of the shadow module are:
<DL>
<DT><B><CODE>user</CODE></B><DD><P>- username</P>
<DT><B><CODE>passwd</CODE></B><DD><P>- encrypted password</P>
<DT><B><CODE>last_change</CODE></B><DD><P>- date password was last changed</P>
<DT><B><CODE>min_change</CODE></B><DD><P>- minimum period before password can
be changed</P>
<DT><B><CODE>max_change</CODE></B><DD><P>- lifetime of current password</P>
<DT><B><CODE>warn_change</CODE></B><DD><P>- number of days prior to expiry
that the user should be warned</P>
<DT><B><CODE>defer_change</CODE></B><DD><P>- grace period before password is
finally invalid</P>
<DT><B><CODE>expire</CODE></B><DD><P>- date account expires</P>
</DL>
</P>

<P>Entries supported by the "group" class of the shadow module are:
<DL>
<DT><B><CODE>group</CODE></B><DD><P>- groupname</P>
<DT><B><CODE>passwd</CODE></B><DD><P>- encrypted group password</P>
<DT><B><CODE>users</CODE></B><DD><P>- text list of user names separated by
commas (members of the group)</P>
<DT><B><CODE>admins</CODE></B><DD><P>- text list of user names separated by
commas (administrators of the group)</P>
</DL>
</P>


<H2><A NAME="ss4.3">4.3</A> <A HREF="pwdb.html#toc4.3">NIS module</A>
</H2>

<P>
<UL>
<LI>user removal is not possible. (lack of documentation)</LI>
<LI>user creation is not possible (lack of documentation)</LI>
</UL>
</P>

<H2><A NAME="ss4.4">4.4</A> <A HREF="pwdb.html#toc4.4">DECNIS module</A>
</H2>

<P> The decnis module allows use of some extensions to the basic NIS maps.
The two current extensions supported are the Solaris passwd.adjunct
and the Digital Equipment Corp prpasswd maps. Both of these are shadow 
password schemes for basic (non-secure) NIS. The solaris support is untested.
This option encompasses the NIS option, and the decnis option should replace
the standard nis option in the pwdb.conf file. In the event of a user not
having a shadow NIS password entry, the result should be identical to that
returned by the NIS module above. </P>
<P><EM>Warning1</EM> Support for many of the extensions (password expiry, life time,
account locking etc..) is not present in this version. Just raw
authentication.</P>
<P><EM>Warning2</EM> Clustering your Linux boxes with this software will reduce the
security level of your NIS server/cluster. Users may have access to encrypted
passwords of other users. </P>


<P>
<UL>
<LI>user removal is not possible. (lack of documentation)</LI>
<LI>user creation is not possible (lack of documentation)</LI>
</UL>
</P>

<H2><A NAME="ss4.5">4.5</A> <A HREF="pwdb.html#toc4.5">RADIUS module</A>
</H2>

<P>The RADIUS module is acting just as a user validation mechanism. The
official Livingston radiusd 2.0 is supported, but in order to take
advantage of the all information and auth tokens the radius server can
provide, a session PAM module should be written, and be stacked over
pam_unix.</P>

<P>The following should be taken into consideration when writing
applications to authenticate to a radius server:</P>

<P>
<UL>
<LI>the pwdb group functions are not supported (RADIUS does not have
this concept)
</LI>
<LI>Other than checking for username/password pairs, the radius module
can not be used alone with the stock radiusd server to handle the
user login without a suitable RADIUS client (for example there
is no way to get an UID for a user).
<P>However, with few hacks to the radius server and proper modification
of the <CODE>/etc/raddb/dictionary</CODE> file this module uses, a NIS-like
environment could be achieved. Full documentation on how to achieve this
will be added later.</P>

</LI>
<LI>All radius module functions that access the remote server require the
presence of the "pass_phrase" pwdb entry which contains the user
password in <EM>clear text</EM>. The radius module will destroy this
information as soon as it can dispose of it, so an application can
assume that after a call to a function in the radius module which
returned with <CODE>PWDB_SUCCESS</CODE>, the pass_phrase entry is wiped out.
</LI>
<LI>When updating a RADIUS user password, one should supply <B>both</B>
<CODE>pass_phrase</CODE> and <CODE>passwd</CODE> entries in <EM>clear text</EM>. By
convention, the <CODE>pass_phrase</CODE> contains the old password (which is
required by the RADIUS server to authenticate the user) and the
<CODE>passwd</CODE> entry contains the new password.  One should be very
careful about this issue, as some other modules used before RADIUS
authentication may set the value of <CODE>passwd</CODE> entry, and the
application should make sure that the clear text password is passed to
the RADIUS module for changing password. The RADIUS module will wipe
out both <CODE>pass_phrase</CODE> and <CODE>password</CODE> entries - thus the
application can not rely on validity of any of those entries in the
pwdb structure after a call to the update function of the RADIUS
module.

<P>Note that the RADIUS server must permit changing of the 
passwords user passwords. IF the RADIUS does not accept changing the
user passwords, a PWDB_TIMEOUT will occur.</P>

</LI>
<LI>The password update is the <B>only</B> function supported by the
RADIUS update function.
</LI>
</UL>
</P>

<P>Entries supported by this database are set according to the definitions 
from <CODE>/etc/raddb/dictionary</CODE> file. Three entries have a special
meaning when calling the RADIUS functions: <CODE>user</CODE>, <CODE>passwd</CODE> and
<CODE>pass_phrase</CODE>. The <CODE>passwd</CODE> and <CODE>pass_phrase</CODE> will be wiped out by
the RADIUS functions as soon as the module can dispose them. The reponse
from the RADIUS server is processed and entries are set in the <CODE>pwdb</CODE>
structure according to the names from the dictionary file.</P>

<P>A sample <CODE>RADIUS dictionary</CODE> entry list is provided here - valid for
Livingston RADIUSD 2.0:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>

#---------------------------------------------------------------------------
#
# @(#)dictionary        1.3 10/1/96  Copyright 1991 Livingston Enterprises Inc
#
#---------------------------------------------------------------------------
#
#       This file contains dictionary translations for parsing
#       requests and generating responses.  All transactions are
#       composed of Attribute/Value Pairs.  The value of each attribute
#       is specified as one of 4 data types.  Valid data types are:
#
#       string - 0-253 octets
#       ipaddr - 4 octets in network byte order
#       integer - 32 bit value in big endian order (high byte first)
#       date - 32 bit value in big endian order - seconds since
#                                       00:00:00 GMT,  Jan.  1,  1970
#

ATTRIBUTE       User-Name               1       string
ATTRIBUTE       Password                2       string
ATTRIBUTE       CHAP-Password           3       string
ATTRIBUTE       NAS-IP-Address          4       ipaddr
ATTRIBUTE       NAS-Port                5       integer
ATTRIBUTE       Service-Type            6       integer
ATTRIBUTE       Framed-Protocol         7       integer
ATTRIBUTE       Framed-IP-Address       8       ipaddr
ATTRIBUTE       Framed-IP-Netmask       9       ipaddr
ATTRIBUTE       Framed-Routing          10      integer
ATTRIBUTE       Filter-Id               11      string
ATTRIBUTE       Framed-MTU              12      integer
ATTRIBUTE       Framed-Compression      13      integer
ATTRIBUTE       Login-IP-Host           14      ipaddr
ATTRIBUTE       Login-Service           15      integer
ATTRIBUTE       Login-TCP-Port          16      integer
ATTRIBUTE       Reply-Message           18      string
ATTRIBUTE       Callback-Number         19      string
ATTRIBUTE       Callback-Id             20      string
ATTRIBUTE       Framed-Route            22      string
ATTRIBUTE       Framed-IPX-Network      23      ipaddr
ATTRIBUTE       State                   24      string
ATTRIBUTE       Session-Timeout         27      integer
ATTRIBUTE       Idle-Timeout            28      integer
ATTRIBUTE       Termination-Action      29      integer
ATTRIBUTE       Called-Station-Id       30      string
ATTRIBUTE       Calling-Station-Id      31      string
ATTRIBUTE       Acct-Status-Type        40      integer
ATTRIBUTE       Acct-Delay-Time         41      integer
ATTRIBUTE       Acct-Input-Octets       42      integer
ATTRIBUTE       Acct-Output-Octets      43      integer
ATTRIBUTE       Acct-Session-Id         44      string
ATTRIBUTE       Acct-Authentic          45      integer
ATTRIBUTE       Acct-Session-Time       46      integer
ATTRIBUTE       Acct-Terminate-Cause    49      integer
ATTRIBUTE       NAS-Port-Type           61      integer
ATTRIBUTE       Port-Limit              62      integer
</PRE>
</CODE></BLOCKQUOTE>
</P>


<HR>
<A HREF="pwdb-5.html">Next</A>
<A HREF="pwdb-3.html">Previous</A>
<A HREF="pwdb.html#toc4">Contents</A>
</BODY>
</HTML>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional