The nsssd-nslcd program

nsssd-nslcd is a daemon providing a backend for clients using the nsss library - more precisely, clients using the nsss-all or the nsss-switch functions.

The nsssd-nslcd backend is meant to be used when the user/group/shadow information is held in a LDAP server, and the nslcd daemon is running on the system as an interface to the LDAP architecture. nsssd-nslcd acts a server for its libnsss-using client, and as a client to nslcd. It forwards the application's requests to nslcd, and forwards the answers back.

nsssd-nslcd is not meant to be called directly; instead, it is expected to be run from a script as a part of a "nsssd" local service.

The examples/ subdirectory of the nsss package provides examples on how to run such a service. The simplest way to do so, for testing purposes, is a command line such as:

s6-ipcserver -l0 /run/service/nsss/s nsssd-nslcd /var/run/nslcd/socket

/run/service/nsss/s is the default place where nsss's implementation of the pwd.h, grp.h and shadow.h functions expects the nsssd service to be. It can be changed at nsss build time by giving the --with-nsssd-socket=PATH option to configure. nsssd-nslcd takes one argument: the path to connect to the nslcd daemon. By default, this is /var/run/nslcd/socket. The default can be changed at nslcd build time.

nsssd-nslcd does not listen to the socket itself: it reads from its standard input and writes to its standard output. It relies on a superserver such as s6-ipcserver to manage connections to the socket. An instance of nsssd-nslcd is run for every client connection.

If fine-grained authorizations are required (only allowing certain users and groups to connect to the service), the superserver can be configured to enforce them.

nsssd-nslcd does not need to run as root, provided it can connect to the nslcd daemon. It is recommended to create a nsss user and group, dedicated to the nsssd service, and run the superserver as this user and group.