{"id":19449097,"url":"https://github.com/outlook/libnss-aad","last_synced_at":"2025-07-27T00:04:34.430Z","repository":{"id":70856366,"uuid":"89504228","full_name":"outlook/libnss-aad","owner":"outlook","description":"A glibc NSS plugin that implements an Azure Active Directory service","archived":false,"fork":false,"pushed_at":"2017-06-29T15:41:34.000Z","size":29,"stargazers_count":25,"open_issues_count":6,"forks_count":6,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-04-03T15:05:25.200Z","etag":null,"topics":["azure","azure-active-directory","glibc","group","linux","nss","nss-db","passwd"],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/outlook.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-04-26T16:38:37.000Z","updated_at":"2024-11-09T21:34:45.000Z","dependencies_parsed_at":null,"dependency_job_id":"ee7681b1-78fe-4944-b22b-2c27d368d10d","html_url":"https://github.com/outlook/libnss-aad","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outlook%2Flibnss-aad","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outlook%2Flibnss-aad/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outlook%2Flibnss-aad/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outlook%2Flibnss-aad/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/outlook","download_url":"https://codeload.github.com/outlook/libnss-aad/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250742004,"owners_count":21479713,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure","azure-active-directory","glibc","group","linux","nss","nss-db","passwd"],"created_at":"2024-11-10T16:29:59.481Z","updated_at":"2025-04-25T02:32:14.012Z","avatar_url":"https://github.com/outlook.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\nLibNSS-AAD: Linux Name Switch Service plugin for passwd and group lookups into Azure Active Directory\n=====================================================================================================\n\nIntroduction\n------------\n\nThis is a glibc NSS plugin that will query Azure Active Directory for information about users,\nwritten in Rust. It is very, very simple, and does not even go so far as to properly use OAuth2.\nIt implements the following libc functions:\n* `getpwnam`\n* `getpwuid`\n* `getgrnam`\n* `getgrgid`\n* `initgroups_dyn`\n\nThis plugin works best with (and basically, though not actually, requires) nscd. Because nscd can\nhave unintended effects on hosts, it is highly recommended that you refer to `nscd.conf(5)` and\nenable nscd caching only for `passwd` and `group` services, and set the various configuration\noptions appropriately for your environment.\n\nThis plugin was written as a compliment to OpenSSH certificate authentication.\n\nSecurity Considerations\n-----------------------\n\nThis plugin provides a limited set of information to the system, and has some aspects that are\nworth mentioning.\n\n* UIDs are not sanity-checked, except for uid `0` (which the plugin will refuse to honor and return `NSS_STATUS_NOTFOUND`).\n* As currently implemented, UIDs are retrieved from the `immutableId` user attribute. This may not be appropriate in your environment.\n* GIDs are not checked, not even for GID `0`.\n* The user password field returned is `.`, because OpenSSH considers a password field of `*` to indicate a locked account.\n\nThe `/etc/nssaad.conf` file must be readable by any user (privileged or not) that wants to obtain information from AAD (akin to the `passwd` service), and thus the Azure AD Application's client secret will be world-readable. Careful use of NSCD may alleviate this (as it may when using the `bindpw` option libnss-ldap), but very well may not. It is recommended that you limit the permissions granted to the Application, and not grant shell access to users whom you do not want querying the Directory.\n\nConfiguration\n-------------\n\n### Plugin Configuration ###\nThe plugin expects to read from `/etc/nssaad.conf`, which is a YAML file:\n\n```yaml\nclient_id: \"...\"\nclient_secret: \"...\"\ndefault_user_group_id: ###\ndomain_sid: \"S-1-5-...\"\ntenant: \"...\"\n```\n\n* `client_id`: is the Application ID of the [AAD Application](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications) that you have created, and to which you have granted it [the necessary permissions](https://msdn.microsoft.com/en-us/library/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes) (namely, `Directory.Read.All`, or a combination of `User.ReadBasic.All` and `Group.Read.All`) to query data from the Graph API.\n* `client_secret`: is a key that the client can use to obtain an [OAuth2 bearer token](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code).\n* `default_user_group_id`: is the gid that users will have by default.\n* `domain_sid`: is the domain portion of the [SID](https://en.wikipedia.org/wiki/Security_Identifier), including S-1-5- (basically any user or group SID without the relative ID at the end). NOTE: this only supports a single AD domain at the moment.\n* `tenant`: is your [Azure AD tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant) name, or its GUID.\n\n### NSS Configuration ###\nAdd the `aad` service to the `/etc/nsswitch.conf` file. Probably something like:\n```\npasswd:         compat aad\ngroup:          compat aad\n```\n\nInstallation\n------------\n\nUpon building the library, copy the `target/release/libnss_aad.so` file to `/lib/???-linux-gnu/libnss_aad.so.2`.\n\nKnown Issues\n------------\n\n* Every call to the plugin results in at least one connection to the OAuth2 endpoint for a new token.\n* OpenSSH may consider a user account with a password field of `*` to be locked, and thus this plugin returns `.` instead.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foutlook%2Flibnss-aad","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foutlook%2Flibnss-aad","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foutlook%2Flibnss-aad/lists"}