Benutzerverwaltung mit Postgres

Aus Tuxfutter

Wechseln zu: Navigation, Suche

Auf dieser Seite wird beschrieben, wie unter Linux die Benutzerverwaltung über die Dateien /etc/passwd, /etc/shadow und /etc/groups, um die Verwaltung mit Hilfe einer PostgreSQL-Datenbank erweitert wird.

Getestet wurde dies auf einem Debian Sid GNU/Linux System.

Selbstverständlich kann man in die Datenbanktabellen weitere Informationen (Spalten) einfügen.

Inhaltsverzeichnis

[Bearbeiten] Datenbanktabellen

CREATE TABLE groups (
        gid serial NOT NULL,
        name character varying(16) NOT NULL,
        descr character varying,
        passwd character varying(20),
        PRIMARY KEY ("gid")
);

CREATE TABLE accounts (
        uid serial NOT NULL UNIQUE,
        gid int4 NOT NULL,
        login character varying(8) NOT NULL,
        passwd character varying(30) NOT NULL,
        shell character varying DEFAULT '/bin/bash' NOT NULL,
        homedir character varying NOT NULL,
        pwdexpire timestamp,
        enabled bool DEFAULT 't' NOT NULL,
        deleted bool DEFAULT 'f',
        gecos varchar(64),
        PRIMARY KEY ("login")
);

CREATE TABLE usergroups (
        gid int4 NOT NULL,
        uid int4 NOT NULL,
        PRIMARY KEY (gid, uid),
        CONSTRAINT ug_gid_fkey FOREIGN KEY (gid) REFERENCES groups(gid),
        CONSTRAINT ug_uid_fkey FOREIGN KEY (uid) REFERENCES accounts(uid)
);

[Bearbeiten] nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
#
# extended with example entries using the nss-pgsql module.

passwd:         compat [NOTFOUND=continue] pgsql
group:          compat [NOTFOUND=continue] pgsql
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

[Bearbeiten] nss-pgsql.conf

# example configfile for PostgreSQL NSS module (/etc/nss-pgsql.conf)

# these are entries as used with the BOFHMS tool (sf.net/projects/bofhms)
host            = 127.0.0.1
port            = 5432
database        = benutzer
login           = postgres
passwd          = foo
passwdtable     = accounts
grouptable      = groups
# you can use anything postgres accepts as table expression
groupmembertable = accounts JOIN usergroups ON accounts.uid=usergroups.uid JOIN groups ON usergroups.gid=groups.gid
passwd_name     = login
passwd_passwd   = passwd
passwd_uid      = uid
passwd_dir      = homedir
passwd_shell    = shell

passwd_gecos    = gecos
passwd_gid      = gid
group_name      = name
group_passwd    = passwd
group_gid       = gid
group_member    = login

[Bearbeiten] PAM

For the service you wish the module to be used, you need to edit the /etc/pam.d/<service> file or /etc/pam.conf, and add the relevant lines.

[Bearbeiten] /etc/pam.conf

auth        required    pam_pgsql.so 
account     required    pam_pgsql.so
password    required    pam_pgsql.so

[Bearbeiten] /etc/pam.d/passwd

Die /etc/pam.d/passwd dient dazu, dass User ihre Passwörter ändern können.

In die /etc/pam.d/passwd fügt man folgende Zeile ein: 

password   sufficient pam_pgsql.so use_first_pass  obscure min=4 max=8

Diese Zeile gehört vor die folgende Zeile, die bereits in der Datei steht: 

password   required   pam_unix.so obscure min=4 max=8

[Bearbeiten] /etc/pam_pgsql.conf

Configure the database, and table the module should use with the configuration file /etc/pam_pgsql.conf. An example of this file: 

database = sysdb
user = ljb
table = account
user_column = user_name
pwd_column = user_password
expired_column = acc_expired
newtok_column = acc_new_pwreq
debug

Note that for backwards compatibility with earlier versions, options specified in the configuration file can be supplied as module arguments as well. Module arguments will override the configuration file. 

    database            - the database which should be connected to
    table               - the table containing the authentication data
    user                - the username used when connecting to PostgreSQL
    password            - the password for the user specified
    user_column         - the column containing usernames
    pwd_column          - the column containing the passwords
    expired_column      - this column should contain '1' or 'y' if the account
                          has expired
    newtok_column       - this column should contain '1' or 'y' if the user
                          needs to change their password
    debug               - this is a standard module option that will enable
                          debug output to syslog (takes no values)
    pw_type             - specifies the password encryption scheme, can be one
                          of 'clear', 'md5', or 'crypt'. defaults to 'clear'.

[Bearbeiten] Mail

Postfix und QPopper benötigen keine weiteren Änderungen an Konfigurationsdateien, da diese auch PAM verwenden.

[Bearbeiten] Lokale Doku

  • /usr/share/doc/libnss-pgsql1/
  • /usr/share/doc/libpam-pgsql/

[Bearbeiten] Links

Doku zu libnss

Doku zu Postfix mit PAM

Von „http://www.tuxfutter.de/wiki/Benutzerverwaltung_mit_Postgres
'Persönliche Werkzeuge