# `pamldapd` Simple LDAP server, uses PAM as backend ## Getting Started ### Download and Build . Clone a repository $ git clone https://github.com/eisin/pamldapd $ cd pamldapd . Build $ yum install -y gcc golang pam-devel $ go get github.com/msteinert/pam $ go get github.com/nmcclain/asn1-ber $ go get github.com/nmcclain/ldap $ go build -a src/pamldapd.go . Install to PATH directory (optional) copy x86-64 binary to bin directory: $ sudo install pamldapd-x86-64 /usr/bin/pamldapd . Prepare configuration file $ cp pamldapd.json.example pamldapd.json $ vi pamldapd.json ### Start `pamldapd` While pamldapd uses PAM authentication, root privilege is required. $ pamldapd -h Usage of pamldapd: -c string Configuration file (default "pamldapd.json") -l string Log file (STDOUT if blank) Start using configuration file, puts messages to STDOUT # pamldapd -c pamldapd.json Start using configuration file, puts messages to a log file # pamldapd -c pamldapd.json -l /var/log/pamldapd.log ## Configuration Example Configuration: { "listen": "127.0.0.1:10389", "pamServicename": "password-auth", "peopledn": "ou=people,dc=example,dc=com", "groupsdn": "ou=groups,dc=example,dc=com", "bindadmindn": "uid=user,dc=example,dc=com", "bindadminpassword": "password" } `listen` :: Listen IP address and port like `0.0.0.0:0000` `pamservicename` :: PAM authentication requires service-name like `login`, `su`. You can choose existing service or create a new. Existing service can be seen typing `ls /etc/pam.d/` For more service, see http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html `peopledn` :: Specify base distinguish name of users. `groupsdn` :: Specify base distinguish name of groups. `bindadmindn` :: Specify distinguish name of administrator account. `bindadminpassword` :: Specify password of administrator account. ## LDAP tree structure example Tree structure of example configuration file `pamldapd.json.example` dc=com dc=example ou=people uid=user objectClass=posixAccount cn=user uidNumber=501 gidNumber=501 homeDirectory=/home/user givenName=User uid=user2 objectClass=posixAccount : : ou=groups cn=user objectClass=posixGroup cn=user gidNumber=501 memberUid=501 cn=user2 objectClass=posixGroup : : uid=adminuser ## Restriction While `pamldapd` uses PAM as authentication, some restrictions exist. * When search operations, filter can be almost two patterns: `(&(uid=user)(objectClass=posixAccount))` or `(&(memberUid=user)(objectClass=posixgroup))` ** Must be included `objectclass` , like `(objectclass=posixAccount)` or `(objectclass=posixGroup)` . Other than that, for example `(objectclass=*)`, it will fail. ** Must be identified one record by specifying username attribute. Enumeration is not supported. * When search operation, an entry does not have `unixpassword` attribute.