example_configs: Update PAM integration

* Add more information for PAM integration:

* Add info that custom attributes only work on nightly
* Add sample lldap-cli command to set attribute

* Modify nslcd to use unix-uid/gid directly as it is now supported

* Add readme for PAM integration, removing the need for is-unix-user/group.

example_configs/pam/README.md

@@ -1,3 +1,7 @@
+> [!IMPORTANT]
+> The integration requires custom ldap properties which are not supported on
+> stable (as of 2024-09-19), please use nightly/latest tag.
+
 # Configure lldap
 
 You MUST use LDAPS. You MUST NOT use plain ldap. Even over a private network
@@ -42,13 +46,16 @@ The provided implementation uses custom attributes to mark users and groups
 that should be included in the system (for instance, you don't want LDAP
 accounts of other services to have a matching unix user).
 
-For users, you need to add an (integer) `is-unix-user` attribute, set manually
+> [!TIP]
-to 1 for the users you want to enable. This could also be implemented as a
+> You can create custom attributes in the Web UI, but to provide values, you
-group membership.
+> need to communicate with the API, see [scripting]. Example using lldap-cli:
+> `./lldap-cli user update set example-user unix-uid 5000`
 
-For groups, you need an (integer) `is-unix-group` attribute, similarly set to 1
+For users, you need to add an (integer) `unix-uid` attribute to the schema, and
-(this cannot be replaced by group membership until LLDAP supports nested group
+manually set the value for the users you want to enable to login with PAM.
-memberships).
+
+For groups, you need an (integer) `unix-gid` attribute, similarly set manually
+to some value.
 
 If you want to change this representation, update the `filter passwd` and
 `filter group` accordingly.
@@ -87,3 +94,6 @@ You're done!
 ## Clearing nscd caches.
 
 If you want to manually clear nscd's caches, run `nscd -i passwd; nscd -i group`.
+
+[scripting]: https://github.com/lldap/lldap/blob/main/docs/scripting.md
+

example_configs/pam/nslcd.conf

@@ -16,8 +16,8 @@ base dc=example,dc=net
 #ldap_version 3
 
 # The DN to bind with for normal lookups.
-#binddn cn=...,ou=people,dc=example,dc=com
+binddn cn=...,ou=people,dc=example,dc=com
-#bindpw ...
+bindpw ...
 
 # The DN used for password modifications by root.
 #rootpwmoddn cn=admin,dc=example,dc=com
@@ -34,17 +34,17 @@ reconnect_invalidate passwd group
 nss_initgroups_ignoreusers ALLLOCAL
 
 # Do you have users/groups that aren't for linux?  These filters determine which user/group objects are used.
-filter passwd (&(objectClass=posixAccount)(is-unix-user=1))
+filter passwd (&(objectClass=posixAccount)(unix-uid=*))
-filter group (&(objectClass=groupOfUniqueNames)(is-unix-group=1))
+filter group (&(objectClass=groupOfUniqueNames)(unix-gid=*))
 
 # This check is done AFTER authentication, in the pam "account" stage.
 # Regardless of if they used a LDAP password, or an SSH key, if they're an LDAP user, they have to pass this check.
-pam_authz_search (&(objectClass=posixAccount)(is-unix-user=1)(unix-username=$username)(memberOf=cn=YOUR_LOGIN_GROUP_FOR_THIS_MACHINE,ou=groups,dc=example,dc=com))
+pam_authz_search (&(objectClass=posixAccount)(unix-uid=*)(unix-username=$username)(memberOf=cn=YOUR_LOGIN_GROUP_FOR_THIS_MACHINE,ou=groups,dc=example,dc=com))
 
 
 map passwd uid unix-username
 map passwd uidNumber unix-uid
-map passwd gidNumber unix-uid
+map passwd gidNumber unix-gid
 map passwd gecos unix-username
 map passwd homeDirectory "/home/${unix-username}"
 map passwd loginShell unix-shell