confd_aaa_bridge
Prev ConfD man-pages, Volume 1 Next

Name

confd_aaa_bridge — Populating ConfD aaa_bridge.fxs with external data

Synopsis

<aaa>
    <aaaBridge>
      <enabled>true</enabled>
      <file>/etc/confd/aaa.conf</file>
    </aaaBridge>
  </aaa>

DESCRIPTION

Note

This program is deprecated. It does not support the NACM data model for access control.

ConfD needs to have the YANG module defining the namespace http://tail-f.com/ns/aaa/1.1 defined. The namespace is mandatory for ConfD to run. The namespace specifies authentication and authorization data for ConfD and ConfD doesn't run unless this namespace is populated. This is fully described in the document "The ConfD AAA infrastructure"

We can either choose to use CDB to populate the AAA namespace in which case no C code needs to be written. Using CDB is the easiest and recommended way to populate the AAA. In the CDB case we should choose to have the "aaa_cdb.fxs" file in ConfD load path. By default ConfD use CDB to store the AAA data, thus this man page is only of interest for users that don't use CDB to store the "/aaa" tree.

If we do not want to use CDB, we can choose to populate the namespace using "aaa_bridge.fxs" using external data in which case a program - using the ConfD external data API from libconfd.so must be written to populate aaa_bridge.fxs.

confd_aaa_bridge.c is an example of such a program. It reads and writes an ad hoc .ini file which is used as "external database" for authentication and authorization data. If we enable confd_aaa_bridge in the configuration file for ConfD (see confd.conf(5)) ConfD will automatically start a precompiled version of confd_aaa_bridge on startup and stop it on shutdown.

Note

confd_aaa_bridge is just an example of how we can choose to populate the AAA namespace if we do not want to use CDB at all.

confd_aaa_bridge reads and writes a file with the following syntax:

[users]
 .. a set of users

[groups]
 .. a set of groups

[cmdrules]
 .. a set of rules

[datarules]
 .. a set of rules

The [users] are specified as six space/tab separated fields

  user    uid   gid cryptpassword   sshdir  homedir

The user field is the name of the user, the cryptpassword is the encrypted (see man crypt(3)) password of the user. The sshdir is the name of a directory where the users SSH keys are kept and finally the homedir is a directory which is considered the HOME directory of the user. The CLI will save files in this directory. The uid and gid are UNIX ids ConfD will use to run commands on behalf of the logged in user.

[users]
admin 0 0 $1$feedbabe$nGlMYlZpQ0bzenyFOQI3L1 /var/u1/.ssh /var/u1
oper  0 0 $1$feedbabe$i2glnaB.iUj2VXh/zlq.o/ /var/u2/.ssh /var/u2

The [groups] are specified as several space/tab separated fields

group   gid user1 user2 ......

The first field, the group is the name of a group, the remainder of space separated strings is a list of users being members in the group. The gid is the UNIX group id of this group. -1 means that no additional group id should be assigned to a user that belongs to this group.

The [cmdrules] are specified as six space/tab separated fields:

        index  context  command  group  op  action

And the [datarules] are specified of seven space/tab separated fields

index  context  namespace  keypath  group  op  action

The meaning of the different rule fields is described in the AAA userguide.

SIGNALS

If the signal SIGHUP is sent to the program as in

# killall -HUP confd_aaa_bridge

The program will die, ConfD will notice the exit code and silently restart confd_aaa_bridge. This is a convenient way to force ConfD to reload a data file edited by hand, is to kill -HUP the confd_aaa_bridge UNIX process

SEE ALSO

See the YANG module tailf-aaa.yang in the $CONFD_DIR/src/confd/aaa directory in the release, as well as the accompanying annotation YANG module bridge-ann.yang in the $CONFD_DIR/src/confd/confd_aaa_bridge directory, which brings the necessary callpoint into the original YANG module tailf-aaa.yang.

Prev Up Next
confd Home confd_cli