From owner-freebsd-questions@freebsd.org Wed Jan 20 10:20:31 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 782D9A89142 for ; Wed, 20 Jan 2016 10:20:31 +0000 (UTC) (envelope-from matthew@freebsd.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1E4F11777 for ; Wed, 20 Jan 2016 10:20:30 +0000 (UTC) (envelope-from matthew@freebsd.org) Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id u0KAKI35017092 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 20 Jan 2016 10:20:25 GMT (envelope-from matthew@freebsd.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=freebsd.org DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk u0KAKI35017092 Authentication-Results: smtp.infracaninophile.co.uk/u0KAKI35017092; dkim=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be ox-dell39.ox.adestra.com Subject: Re: OpenLDAP: using FreeBSD's /etc/login.conf attributes with external LDAP users? To: freebsd-questions@freebsd.org References: <20160120105633.602dd290@freyja.zeit4.iv.bundesimmobilien.de> Cc: ohartman@zedat.fu-berlin.de From: Matthew Seaman X-Enigmail-Draft-Status: N1110 Message-ID: <569F5F5E.9020403@freebsd.org> Date: Wed, 20 Jan 2016 10:20:14 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 In-Reply-To: <20160120105633.602dd290@freyja.zeit4.iv.bundesimmobilien.de> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Fu6GE5CoIvKQP91DSbkEXbtnNvA2GKCi1" X-Virus-Scanned: clamav-milter 0.99 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jan 2016 10:20:31 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Fu6GE5CoIvKQP91DSbkEXbtnNvA2GKCi1 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 01/20/16 09:56, O. Hartmann wrote: > Using lates net/openldap24-server with FreeBSD as server and login targ= et for > several users results in a problem. Use nss-pam-ldapd -- it's way better than pam-ldap. > Via attribute :rquirehome: in /etc/login.conf (i.e. added to class "sta= ndard") > one can prevent users from login without a valid home directory. Otherw= ise a > user with a valid LDAP entry will end up in "/". I'd like to add a stan= dard > class for any user log in (via ssh) on that specific server (only admin= istrative > staff has local logins in /etc/passwd, all users are located in LDAP DI= T). >=20 > I searched the net for solutions and found one suggesting reverting the= > "default" behaviour to have :requirehome: and use another class for all= users > local in /etc/master.passwd (i.e. "privileged") - but this seems someho= w odd > and in a hurry, updating software or similar, new facility users, like = the > recently added user "_ypldap" will end up in the default class with > prerquisited a daemon will fail with. I think this could be too much of= a > trap/pitfall.=20 >=20 > So, the question is whether there is a more elegant/semantic way to do = so. >=20 >=20 > Please CC me, I do not subscribe this list, >=20 > thanks in advance and kind regards, One way round this problem is to use pam_mkhomedir -- that way you can ensure that anyone that can log in has a home directory (automatically created for them if necessary.) Of course this means that user's SSH authorized_keys will not be available automatically in their home dir -- you can handle that in several different ways: use Kerberos / GSSAPI for authentication, or use LDAP to serve the public keys (you'll need to write a script that looks up the users' key in LDAP and returns it, which you add as AuthorizedKeysCommand in /etc/ssh/sshd_config). If you need to restrict which machines various people in your LDAP directory can log into, it would be better to have an explicit mechanism within LDAP rather than relying on an implicit property of the account, like existence of the home directory or not. Cheers, Matthew --Fu6GE5CoIvKQP91DSbkEXbtnNvA2GKCi1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWn19eAAoJEABRPxDgqeTnL/EP/3TRv9GsJkBa1FpE0+Ynh1UT tNql0bEfidQknS0xmhAt7cc5V7EhxxILffmFs7xQHO/bIVhqiLRd+A61gtw7EWXf J2G0s9ViHqdNDwItHjWM6ow3hhhjWIdjs+1JYIYNYlKD+IsHh1cqDWiI833slX4P Aphyz3BU8Jwyv7t4DALWP058x/H+NDuFG7wzJWHOIlhgIUV3/+1oowvnd/TAyK8y KZuhVZ/y8/re1CA5W93nKil1r0RY9VbYc4c+WWEghxQKalfAtpM5ZDFQrO/QA7EQ BVwa6V2SPToo2kttnLmGcKNennNLDF6esValnTiMLQdlADj90Ux2dmBkq2GgHWHo 6hY9QLNEyKG+w99WSJqh3dxWlrpMkoQy7P0IDVvhjPkj7do7BHWrdg1hJfK9Yb4b LtcmNcrcWCi7IkC1hmPSnBSTsLohcAzYoivIDJktWl44UKD57CFsRZVfuog+t6C4 rnXvaZzbB+FtZLD6AOkId69HrEKm+FXOtzdMAQ60XMQnexbGhFZc8Q/FYuwhmSm5 8WBqqtHJsigU9xxiLdSEXr/OXrkmwjpoTsnMBUNgygg4rWpu8zs6JT0wKiwIOPEe jS0E4iS+zrnClLZw/ED6Ekc3pOtqKhoPa/zO4Dj4OQhSlBmyZt1rkUn+SGUn7mmY fWWMnPR7JO1pbEeoqylK =HkGl -----END PGP SIGNATURE----- --Fu6GE5CoIvKQP91DSbkEXbtnNvA2GKCi1--