<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.20"> <TITLE>The PWDB Library Guide: Supported modules</TITLE> <LINK HREF="pwdb-5.html" REL=next> <LINK HREF="pwdb-3.html" REL=previous> <LINK HREF="pwdb.html#toc4" REL=contents> </HEAD> <BODY> <A HREF="pwdb-5.html">Next</A> <A HREF="pwdb-3.html">Previous</A> <A HREF="pwdb.html#toc4">Contents</A> <HR> <H2><A NAME="s4">4.</A> <A HREF="pwdb.html#toc4">Supported modules</A></H2> <P>PLEASE NOTE. Currently few group functions have been implemented.</P> <H2><A NAME="ss4.1">4.1</A> <A HREF="pwdb.html#toc4.1">UNIX module</A> </H2> <P>This section documents the current state of the UNIX module. From the point of view of the application, it is named "unix" and has the <CODE>pwdb_type</CODE> <CODE>PWDB_UNIX</CODE>.</P> <P>Entries supported by the "user" class of the UNIX module are as follows: <DL> <DT><B><CODE>user</CODE></B><DD><P>- username</P> <DT><B><CODE>uid</CODE></B><DD><P>- user-id</P> <DT><B><CODE>gid</CODE></B><DD><P>- group-id</P> <DT><B><CODE>passwd</CODE></B><DD><P>- encrypted password</P> <DT><B><CODE>defer_pass</CODE></B><DD><P>- "U" unless set by other database</P> <DT><B><CODE>gecos</CODE></B><DD><P>- user information</P> <DT><B><CODE>dir</CODE></B><DD><P>- home directory</P> <DT><B><CODE>shell</CODE></B><DD><P>- shell executable</P> </DL> </P> <P>Entries supported by the "group" class of the UNIX module are as follows: <DL> <DT><B><CODE>group</CODE></B><DD><P>- username</P> <DT><B><CODE>gid</CODE></B><DD><P>- group-id</P> <DT><B><CODE>passwd</CODE></B><DD><P>- encrypted password</P> <DT><B><CODE>users</CODE></B><DD><P>- text list of user names separated by commas</P> </DL> </P> <P>The <CODE>pwdb_request()</CODE> function call is only supported for the "group" class. The two entries that may be requested are: <DL> <DT><B><CODE>groups</CODE></B><DD><P>- text list of group names separated by commas </P> <DT><B><CODE>groupids</CODE></B><DD><P>- array of <CODE>gid_t</CODE> values that contain the numerical form of the "groups" entry.</P> </DL> Note, for such requests to be honored the name of the user should be contained in the <CODE>pwdb **</CODE> argument prior to the <CODE>pwdb_request()</CODE> call.</P> <H2><A NAME="ss4.2">4.2</A> <A HREF="pwdb.html#toc4.2">Shadow module</A> </H2> <P>This section documents the current implementation of the <EM>shadow</EM> database module.</P> <P>The <EM>shadow</EM> module does not make any use of the <CODE>id</CODE> parameter. Since the shadow database does not contain such an entry, the only way of identifying a user is with a <CODE>name</CODE> argument. However, an <CODE>id</CODE> based lookup is possible, if the <CODE>shadow</CODE> database is searched after a database that contains a user-uid mapping. In this case the ``<CODE>user</CODE>'' entry in the partially built <CODE>pwdb</CODE> structure is used to locate the appropriate entry in the shadow file.</P> <P>The shadow module is designed to work in conjunction with a database that provides the standard <CODE>user-uid</CODE> mapping. It should be noted that it does not provide sufficient information to support a user login session.</P> <P>Entries supported by the "user" class of the shadow module are: <DL> <DT><B><CODE>user</CODE></B><DD><P>- username</P> <DT><B><CODE>passwd</CODE></B><DD><P>- encrypted password</P> <DT><B><CODE>last_change</CODE></B><DD><P>- date password was last changed</P> <DT><B><CODE>min_change</CODE></B><DD><P>- minimum period before password can be changed</P> <DT><B><CODE>max_change</CODE></B><DD><P>- lifetime of current password</P> <DT><B><CODE>warn_change</CODE></B><DD><P>- number of days prior to expiry that the user should be warned</P> <DT><B><CODE>defer_change</CODE></B><DD><P>- grace period before password is finally invalid</P> <DT><B><CODE>expire</CODE></B><DD><P>- date account expires</P> </DL> </P> <P>Entries supported by the "group" class of the shadow module are: <DL> <DT><B><CODE>group</CODE></B><DD><P>- groupname</P> <DT><B><CODE>passwd</CODE></B><DD><P>- encrypted group password</P> <DT><B><CODE>users</CODE></B><DD><P>- text list of user names separated by commas (members of the group)</P> <DT><B><CODE>admins</CODE></B><DD><P>- text list of user names separated by commas (administrators of the group)</P> </DL> </P> <H2><A NAME="ss4.3">4.3</A> <A HREF="pwdb.html#toc4.3">NIS module</A> </H2> <P> <UL> <LI>user removal is not possible. (lack of documentation)</LI> <LI>user creation is not possible (lack of documentation)</LI> </UL> </P> <H2><A NAME="ss4.4">4.4</A> <A HREF="pwdb.html#toc4.4">DECNIS module</A> </H2> <P> The decnis module allows use of some extensions to the basic NIS maps. The two current extensions supported are the Solaris passwd.adjunct and the Digital Equipment Corp prpasswd maps. Both of these are shadow password schemes for basic (non-secure) NIS. The solaris support is untested. This option encompasses the NIS option, and the decnis option should replace the standard nis option in the pwdb.conf file. In the event of a user not having a shadow NIS password entry, the result should be identical to that returned by the NIS module above. </P> <P><EM>Warning1</EM> Support for many of the extensions (password expiry, life time, account locking etc..) is not present in this version. Just raw authentication.</P> <P><EM>Warning2</EM> Clustering your Linux boxes with this software will reduce the security level of your NIS server/cluster. Users may have access to encrypted passwords of other users. </P> <P> <UL> <LI>user removal is not possible. (lack of documentation)</LI> <LI>user creation is not possible (lack of documentation)</LI> </UL> </P> <H2><A NAME="ss4.5">4.5</A> <A HREF="pwdb.html#toc4.5">RADIUS module</A> </H2> <P>The RADIUS module is acting just as a user validation mechanism. The official Livingston radiusd 2.0 is supported, but in order to take advantage of the all information and auth tokens the radius server can provide, a session PAM module should be written, and be stacked over pam_unix.</P> <P>The following should be taken into consideration when writing applications to authenticate to a radius server:</P> <P> <UL> <LI>the pwdb group functions are not supported (RADIUS does not have this concept) </LI> <LI>Other than checking for username/password pairs, the radius module can not be used alone with the stock radiusd server to handle the user login without a suitable RADIUS client (for example there is no way to get an UID for a user). <P>However, with few hacks to the radius server and proper modification of the <CODE>/etc/raddb/dictionary</CODE> file this module uses, a NIS-like environment could be achieved. Full documentation on how to achieve this will be added later.</P> </LI> <LI>All radius module functions that access the remote server require the presence of the "pass_phrase" pwdb entry which contains the user password in <EM>clear text</EM>. The radius module will destroy this information as soon as it can dispose of it, so an application can assume that after a call to a function in the radius module which returned with <CODE>PWDB_SUCCESS</CODE>, the pass_phrase entry is wiped out. </LI> <LI>When updating a RADIUS user password, one should supply <B>both</B> <CODE>pass_phrase</CODE> and <CODE>passwd</CODE> entries in <EM>clear text</EM>. By convention, the <CODE>pass_phrase</CODE> contains the old password (which is required by the RADIUS server to authenticate the user) and the <CODE>passwd</CODE> entry contains the new password. One should be very careful about this issue, as some other modules used before RADIUS authentication may set the value of <CODE>passwd</CODE> entry, and the application should make sure that the clear text password is passed to the RADIUS module for changing password. The RADIUS module will wipe out both <CODE>pass_phrase</CODE> and <CODE>password</CODE> entries - thus the application can not rely on validity of any of those entries in the pwdb structure after a call to the update function of the RADIUS module. <P>Note that the RADIUS server must permit changing of the passwords user passwords. IF the RADIUS does not accept changing the user passwords, a PWDB_TIMEOUT will occur.</P> </LI> <LI>The password update is the <B>only</B> function supported by the RADIUS update function. </LI> </UL> </P> <P>Entries supported by this database are set according to the definitions from <CODE>/etc/raddb/dictionary</CODE> file. Three entries have a special meaning when calling the RADIUS functions: <CODE>user</CODE>, <CODE>passwd</CODE> and <CODE>pass_phrase</CODE>. The <CODE>passwd</CODE> and <CODE>pass_phrase</CODE> will be wiped out by the RADIUS functions as soon as the module can dispose them. The reponse from the RADIUS server is processed and entries are set in the <CODE>pwdb</CODE> structure according to the names from the dictionary file.</P> <P>A sample <CODE>RADIUS dictionary</CODE> entry list is provided here - valid for Livingston RADIUSD 2.0:</P> <P> <BLOCKQUOTE><CODE> <PRE> #--------------------------------------------------------------------------- # # @(#)dictionary 1.3 10/1/96 Copyright 1991 Livingston Enterprises Inc # #--------------------------------------------------------------------------- # # This file contains dictionary translations for parsing # requests and generating responses. All transactions are # composed of Attribute/Value Pairs. The value of each attribute # is specified as one of 4 data types. Valid data types are: # # string - 0-253 octets # ipaddr - 4 octets in network byte order # integer - 32 bit value in big endian order (high byte first) # date - 32 bit value in big endian order - seconds since # 00:00:00 GMT, Jan. 1, 1970 # ATTRIBUTE User-Name 1 string ATTRIBUTE Password 2 string ATTRIBUTE CHAP-Password 3 string ATTRIBUTE NAS-IP-Address 4 ipaddr ATTRIBUTE NAS-Port 5 integer ATTRIBUTE Service-Type 6 integer ATTRIBUTE Framed-Protocol 7 integer ATTRIBUTE Framed-IP-Address 8 ipaddr ATTRIBUTE Framed-IP-Netmask 9 ipaddr ATTRIBUTE Framed-Routing 10 integer ATTRIBUTE Filter-Id 11 string ATTRIBUTE Framed-MTU 12 integer ATTRIBUTE Framed-Compression 13 integer ATTRIBUTE Login-IP-Host 14 ipaddr ATTRIBUTE Login-Service 15 integer ATTRIBUTE Login-TCP-Port 16 integer ATTRIBUTE Reply-Message 18 string ATTRIBUTE Callback-Number 19 string ATTRIBUTE Callback-Id 20 string ATTRIBUTE Framed-Route 22 string ATTRIBUTE Framed-IPX-Network 23 ipaddr ATTRIBUTE State 24 string ATTRIBUTE Session-Timeout 27 integer ATTRIBUTE Idle-Timeout 28 integer ATTRIBUTE Termination-Action 29 integer ATTRIBUTE Called-Station-Id 30 string ATTRIBUTE Calling-Station-Id 31 string ATTRIBUTE Acct-Status-Type 40 integer ATTRIBUTE Acct-Delay-Time 41 integer ATTRIBUTE Acct-Input-Octets 42 integer ATTRIBUTE Acct-Output-Octets 43 integer ATTRIBUTE Acct-Session-Id 44 string ATTRIBUTE Acct-Authentic 45 integer ATTRIBUTE Acct-Session-Time 46 integer ATTRIBUTE Acct-Terminate-Cause 49 integer ATTRIBUTE NAS-Port-Type 61 integer ATTRIBUTE Port-Limit 62 integer </PRE> </CODE></BLOCKQUOTE> </P> <HR> <A HREF="pwdb-5.html">Next</A> <A HREF="pwdb-3.html">Previous</A> <A HREF="pwdb.html#toc4">Contents</A> </BODY> </HTML>