Date: Wed, 20 Jan 2016 10:20:14 +0000 From: Matthew Seaman <matthew@freebsd.org> To: freebsd-questions@freebsd.org Cc: ohartman@zedat.fu-berlin.de Subject: Re: OpenLDAP: using FreeBSD's /etc/login.conf attributes with external LDAP users? Message-ID: <569F5F5E.9020403@freebsd.org> In-Reply-To: <20160120105633.602dd290@freyja.zeit4.iv.bundesimmobilien.de> References: <20160120105633.602dd290@freyja.zeit4.iv.bundesimmobilien.de>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Fu6GE5CoIvKQP91DSbkEXbtnNvA2GKCi1 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 01/20/16 09:56, O. Hartmann wrote: > Using lates net/openldap24-server with FreeBSD as server and login targ= et for > several users results in a problem. Use nss-pam-ldapd -- it's way better than pam-ldap. > Via attribute :rquirehome: in /etc/login.conf (i.e. added to class "sta= ndard") > one can prevent users from login without a valid home directory. Otherw= ise a > user with a valid LDAP entry will end up in "/". I'd like to add a stan= dard > class for any user log in (via ssh) on that specific server (only admin= istrative > staff has local logins in /etc/passwd, all users are located in LDAP DI= T). >=20 > I searched the net for solutions and found one suggesting reverting the= > "default" behaviour to have :requirehome: and use another class for all= users > local in /etc/master.passwd (i.e. "privileged") - but this seems someho= w odd > and in a hurry, updating software or similar, new facility users, like = the > recently added user "_ypldap" will end up in the default class with > prerquisited a daemon will fail with. I think this could be too much of= a > trap/pitfall.=20 >=20 > So, the question is whether there is a more elegant/semantic way to do = so. >=20 >=20 > Please CC me, I do not subscribe this list, >=20 > thanks in advance and kind regards, One way round this problem is to use pam_mkhomedir -- that way you can ensure that anyone that can log in has a home directory (automatically created for them if necessary.) Of course this means that user's SSH authorized_keys will not be available automatically in their home dir -- you can handle that in several different ways: use Kerberos / GSSAPI for authentication, or use LDAP to serve the public keys (you'll need to write a script that looks up the users' key in LDAP and returns it, which you add as AuthorizedKeysCommand in /etc/ssh/sshd_config). If you need to restrict which machines various people in your LDAP directory can log into, it would be better to have an explicit mechanism within LDAP rather than relying on an implicit property of the account, like existence of the home directory or not. Cheers, Matthew --Fu6GE5CoIvKQP91DSbkEXbtnNvA2GKCi1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWn19eAAoJEABRPxDgqeTnL/EP/3TRv9GsJkBa1FpE0+Ynh1UT tNql0bEfidQknS0xmhAt7cc5V7EhxxILffmFs7xQHO/bIVhqiLRd+A61gtw7EWXf J2G0s9ViHqdNDwItHjWM6ow3hhhjWIdjs+1JYIYNYlKD+IsHh1cqDWiI833slX4P Aphyz3BU8Jwyv7t4DALWP058x/H+NDuFG7wzJWHOIlhgIUV3/+1oowvnd/TAyK8y KZuhVZ/y8/re1CA5W93nKil1r0RY9VbYc4c+WWEghxQKalfAtpM5ZDFQrO/QA7EQ BVwa6V2SPToo2kttnLmGcKNennNLDF6esValnTiMLQdlADj90Ux2dmBkq2GgHWHo 6hY9QLNEyKG+w99WSJqh3dxWlrpMkoQy7P0IDVvhjPkj7do7BHWrdg1hJfK9Yb4b LtcmNcrcWCi7IkC1hmPSnBSTsLohcAzYoivIDJktWl44UKD57CFsRZVfuog+t6C4 rnXvaZzbB+FtZLD6AOkId69HrEKm+FXOtzdMAQ60XMQnexbGhFZc8Q/FYuwhmSm5 8WBqqtHJsigU9xxiLdSEXr/OXrkmwjpoTsnMBUNgygg4rWpu8zs6JT0wKiwIOPEe jS0E4iS+zrnClLZw/ED6Ekc3pOtqKhoPa/zO4Dj4OQhSlBmyZt1rkUn+SGUn7mmY fWWMnPR7JO1pbEeoqylK =HkGl -----END PGP SIGNATURE----- --Fu6GE5CoIvKQP91DSbkEXbtnNvA2GKCi1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?569F5F5E.9020403>