LibNSS-AAD: Linux Name Switch Service plugin for passwd and group lookups into Azure Active Directory
This is a glibc NSS plugin that will query Azure Active Directory for information about users, written in Rust. It is very, very simple, and does not even go so far as to properly use OAuth2. It implements the following libc functions:
This plugin works best with (and basically, though not actually, requires) nscd. Because nscd can
have unintended effects on hosts, it is highly recommended that you refer to
enable nscd caching only for
group services, and set the various configuration
options appropriately for your environment.
This plugin was written as a compliment to OpenSSH certificate authentication.
This plugin provides a limited set of information to the system, and has some aspects that are worth mentioning.
- UIDs are not sanity-checked, except for uid
0(which the plugin will refuse to honor and return
- As currently implemented, UIDs are retrieved from the
immutableIduser attribute. This may not be appropriate in your environment.
- GIDs are not checked, not even for GID
- The user password field returned is
., because OpenSSH considers a password field of
*to indicate a locked account.
/etc/nssaad.conf file must be readable by any user (privileged or not) that wants to obtain information from AAD (akin to the
passwd service), and thus the Azure AD Application's client secret will be world-readable. Careful use of NSCD may alleviate this (as it may when using the
bindpw option libnss-ldap), but very well may not. It is recommended that you limit the permissions granted to the Application, and not grant shell access to users whom you do not want querying the Directory.
The plugin expects to read from
/etc/nssaad.conf, which is a YAML file:
client_id: "..." client_secret: "..." default_user_group_id: ### domain_sid: "S-1-5-..." tenant: "..."
client_id: is the Application ID of the AAD Application that you have created, and to which you have granted it the necessary permissions (namely,
Directory.Read.All, or a combination of
Group.Read.All) to query data from the Graph API.
client_secret: is a key that the client can use to obtain an OAuth2 bearer token.
default_user_group_id: is the gid that users will have by default.
domain_sid: is the domain portion of the SID, including S-1-5- (basically any user or group SID without the relative ID at the end). NOTE: this only supports a single AD domain at the moment.
tenant: is your Azure AD tenant name, or its GUID.
aad service to the
/etc/nsswitch.conf file. Probably something like:
passwd: compat aad group: compat aad
Upon building the library, copy the
target/release/libnss_aad.so file to
- Every call to the plugin results in at least one connection to the OAuth2 endpoint for a new token.
- OpenSSH may consider a user account with a password field of
*to be locked, and thus this plugin returns