[Fusionforge-general] NSS

Christian BAYLE bayle at debian.org
Wed Dec 16 00:08:50 CET 2009


Hello

 You may find usefull the small, probably a bit oudated explanations I
wrote a long time ago in
https://fusionforge.org/scm/viewvc.php/trunk/gforge/docs/README.NSS-pgsql?root=fusionforge&view=markup
You may need to adjust sql query in

/etc/nss-pgsql.conf
### NSS Configuration for fforge
#----------------- DB connection
connectionstring = user=gforge_nss dbname=gforge

#----------------- NSS queries
getpwnam        = SELECT login AS
username,passwd,gecos,('/var/lib/gforge/chroot/home/users/' || login) AS
homedir,shell,uid,gid FROM nss_passwd WHERE login = $1
getpwuid        = SELECT login AS
username,passwd,gecos,('/var/lib/gforge/chroot/home/users/' || login) AS
homedir,shell,uid,gid FROM nss_passwd WHERE uid = $1
#allusers        = SELECT login AS
username,passwd,gecos,('/var/lib/gforge/chroot/home/users/' || login) AS
homedir,shell,uid,gid FROM nss_passwd
getgroupmembersbygid = SELECT login AS username FROM nss_passwd WHERE
gid = $1
getgrnam = SELECT name AS groupname,'x',gid,ARRAY(SELECT user_name FROM
nss_usergroups WHERE nss_usergroups.gid = nss_groups.gid) AS members
FROM nss_groups WHERE name = $1
getgrgid = SELECT name AS groupname,'x',gid,ARRAY(SELECT user_name FROM
nss_usergroups WHERE nss_usergroups.gid = nss_groups.gid) AS members
FROM nss_groups WHERE gid = $1
#allgroups = SELECT name AS groupname,'x',gid,ARRAY(SELECT user_name
FROM nss_usergroups WHERE nss_usergroups.gid = nss_groups.gid) AS
members FROM nss_groups
groups_dyn = SELECT ug.gid FROM nss_usergroups ug, nss_passwd p WHERE
ug.uid = p.uid AND p.login = $1 AND ug.gid <> $2

and
/etc/nss-pgsql-root.conf

### NSS Configuration for fforge
#----------------- DB connection
shadowconnectionstring = user=gforge_nss dbname=gforge

#----------------- NSS queries
shadowbyname    = SELECT login AS shadow_name, passwd AS shadow_passwd,
14087 AS shadow_lstchg, 0 AS shadow_min, 99999 AS shadow_max, 7 AS
shadow_warn, '' AS shadow_inact, '' AS shadow_expire, '' AS shadow_flag
FROM nss_passwd WHERE login = $1
shadow          = SELECT login AS shadow_name, passwd AS shadow_passwd,
14087 AS shadow_lstchg, 0 AS shadow_min, 99999 AS shadow_max, 7 AS
shadow_warn, '' AS shadow_inact, '' AS shadow_expire, '' AS shadow_flag
FROM nss_passwd


You will know NSS works when you get something like this

ls -al /var/lib/gforge/chroot/home/groups
total 28
drwxr-xr-x 7 root       root       4096 mar 26  2009 .
drwxr-xr-x 4 root       root       4096 fév  5  2009 ..
drwxrwsr-x 5 scm-gforge newsadmin  4096 fév  5  2009 newsadmin
drwxrws--x 5 scm-gforge peerrating 4096 fév  5  2009 peerrating
drwxrwsr-x 5 scm-gforge siteadmin  4096 fév  5  2009 siteadmin
drwxrws--x 5 scm-gforge stats      4096 fév  5  2009 stats
drwxrwsr-x 5 scm-gforge testchris  4096 mar 26  2009 testchris

some tricks :
stop nscd with
 /etc/init.d/nscd stop
during test.
try to make sql quesry manually using user and passwd defined in config
files, you may have to adjust psql right in pg_hba.conf

getent group siteadmin
should return
siteadmin:x:10001:{}

you can also try to:
 strace getent group siteadmin
to guess what's wrong

Cheers,

hope this helps

Christian

Evert Lammerts a écrit :
> Hi list,
> 
> I've noticed that projects having anonymous access disabled on my FusionForge 4.8.2, can still be (svn) checked out by developers of other projects, and I've been told that nss through pgsql can fix this.
> 
> How can I prevent this from happening? Do I really need to enable nss over pgsql? Are there other (de facto standard) ways of doing this?
> 
> If NSS is the way to go, see below my setup and details on what I've tried so far.
> 
> My install on CentOS 5.0:
> $ yum install php
> $ php gforge-install-1-deps.php
> $ php gforge-install-2.php h1445603.stratoserver.net apache apache
> $ php gforge-install-3-db.php
> # DB installatie log in /tmp/gforge-import.log
> 
> Mailman is set-up and works with postfix, httpd works fine as well and the cron jobs are running. Actually, all seems to work but nss-pgsql.
> 
> I've downloaded, compiled and installed the libnss_pgsql 1.4.0 (http://pgfoundry.org/projects/sysauth/). After that I edited /etc/nsswitch.conf to include:
> passwd: files pgsql
> group: files pgsql
> 
> And I copied the bundled fusionforge nss-pgsql.conf.example to /etc/nss-pgsql.conf, in which I've put the pgsql socket.
> 
> However, I can't su to FF users or ssh to the machine using one of the FF accounts, and no entries mentioning nss-pgsql show up in /var/log/secure.
> 
> Help is very much appreciated!
> 





More information about the Fusionforge-general mailing list