nsssd-switch is a daemon providing a backend for clients using the nsss library - more precisely, clients using the nsss-all or the nsss-switch functions.
The nsssd-switch backend is the real point of the nsss package: it allows a complex configuration using different other backends, similarly to the /etc/nsswitch.conf mechanism but without its drawbacks. It accomplishes this by reading its backend configuration on the command line.
s6-ipcserver -l0 /run/service/nsssd/s nsssd-switch bitfield1 backend1... "" bitfield2 backend2... "" ...
or, in an execline script:
s6-ipcserver -l0 /run/service/nsssd/s
nsssd-switch
bitfield1 { backend1... }
bitfield2 { backend2... }
...
nsssd-switch is not meant to be called directly; instead, it is expected to be run from a script as a part of a "nsssd" local service.
The examples/ subdirectory of the nsss package provides examples on how to run such a service. The simplest way to do so, for testing purposes, is a command line such as:
s6-ipcserver -l0 /run/service/nsssd/s nsssd-switch 0 nsssd-unix ""
/run/service/nsssd/s is the default place where nsss's implementation of the pwd.h, grp.h and shadow.h functions expects the nsssd service to be. It can be changed at nsss build time by giving the --with-nsssd-socket=PATH option to configure.
nsssd-switch does not listen to the socket itself: it reads from its standard input and writes to its standard output. It relies on a superserver such as s6-ipcserver to manage connections to the socket. An instance of nsssd-switch is run for every client connection.
If fine-grained authorizations are required (only allowing certain users and groups to connect to the service), the superserver can be configured to enforce them.
nsssd-switch does not need to run as root, provided it has all the permissions needed by the backends it spawns. It is recommended to create a nsss user and group, dedicated to the nsssd service, and run the superserver as this user and group.