From owner-freebsd-questions@FreeBSD.ORG Tue Sep 2 05:36:38 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D0811065688 for ; Tue, 2 Sep 2008 05:36:38 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id C19628FC15 for ; Tue, 2 Sep 2008 05:36:37 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id m825aUMO082899; Tue, 2 Sep 2008 06:36:31 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.7.0 smtp.infracaninophile.co.uk m825aUMO082899 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1220333791; bh=4QifkXqeQ6BPy+ MXirXxPew/5O4WYSje5gszVoL3L4w=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<48BCD0D8.7070309@infracaninophile.co.uk>|Date:=20Tue,=2 002=20Sep=202008=2006:36:24=20+0100|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User -Agent:=20Thunderbird=202.0.0.16=20(X11/20080726)|MIME-Version:=201 .0|To:=20Chris=20|CC:=20freebsd-questio ns@freebsd.org|Subject:=20Re:=20LDAP=20and=20Account=20Management|R eferences:=20<48BC5F97.1000809@telting.org>|In-Reply-To:=20<48BC5F9 7.1000809@telting.org>|X-Enigmail-Version:=200.95.6|Content-Type:=2 0multipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"a pplication/pgp-signature"=3B=0D=0A=20boundary=3D"------------enigF1 F2E1F8BFC23FC66ACB3F1F"; b=C67JHsN5H3qdin/scj3H2mkJ5EJ79pDAJiLN8RsG lwyhFkSOdh5cH37gvYk2wyMlMUHKJnN2ODJwm0VE7RWzLQlQhJwEqvZhYVzhtgFTXmI uqXimrcIoBvV67aGIjDD1oD9I7b4d1rk4iJkHLS0nFdBJ4isaHcdg8NXLV0Cw/fs= Message-ID: <48BCD0D8.7070309@infracaninophile.co.uk> Date: Tue, 02 Sep 2008 06:36:24 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.16 (X11/20080726) MIME-Version: 1.0 To: Chris References: <48BC5F97.1000809@telting.org> In-Reply-To: <48BC5F97.1000809@telting.org> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigF1F2E1F8BFC23FC66ACB3F1F" X-Virus-Scanned: ClamAV 0.93.3/8137/Tue Sep 2 03:07:16 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: LDAP and Account Management X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Sep 2008 05:36:38 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF1F2E1F8BFC23FC66ACB3F1F Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Chris wrote: > I've toyed with LDAP accounts before to get them to work. But now I'm = > going to put it into production. >=20 > I'm wondering though about user and group management. When ports are=20 > installed on individual servers, users and groups are sometimes added=20 > for daemons. It would be nice to receive notification and possibly=20 > block and or redirect actions to appropriate scripts and the LDAP serve= r. >=20 > Are there any ports or mechanisms for hooking into the scripts and=20 > programs that handle account modification (chpass, adduser and pw) or=20 > does everyone typically do this sort of thing by hand? For the user and groups set up when installing from the ports -- unfortunately no. Each port that needs to set up a UID/GID will have its own pkg-install script to do the work. These are all written separately for each port that needs one -- no common code libraries etc. other than cut'n'paste from some other port. These are generally wrappers around pw(8) and have no facility for switching to some other program to generate accounts. I believe though that while pw(8) can only update text format files such as /etc/master.passwd or /etc/group it will report all of the UIDs or GIDs known to the system from whatever authentication databases you are hooked up to. So if you create appropriate UIDs and GIDs in LDAP= before trying to install the port, you shouldn't end up with a second local account withthe same credentials. Also note that you will likely have boot-order problems: you'll need to ensure that your system is up and on the network and resolving the user information with whatever network based service you're using before any of the daemons that run as those UIDs are started. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigF1F2E1F8BFC23FC66ACB3F1F Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAki80N0ACgkQ8Mjk52CukIx+jwCeOqgtQz0dz7yUJ77hH0AtFbzo InEAn0cmXfXBUn5lK7uErcmUcgK90gpV =AKRH -----END PGP SIGNATURE----- --------------enigF1F2E1F8BFC23FC66ACB3F1F--