Date: Tue, 2 Sep 2008 08:46:31 +0200 From: Jonathan McKeown <jonathan+freebsd-questions@hst.org.za> To: freebsd-questions@freebsd.org Subject: Re: LDAP and Account Management Message-ID: <200809020846.31216.jonathan%2Bfreebsd-questions@hst.org.za> In-Reply-To: <48BC5F97.1000809@telting.org> References: <48BC5F97.1000809@telting.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 01 September 2008 23:33:11 Chris wrote: > I've toyed with LDAP accounts before to get them to work. But now I'm > going to put it into production. > > I'm wondering though about user and group management. When ports are > installed on individual servers, users and groups are sometimes added > for daemons. It would be nice to receive notification and possibly > block and or redirect actions to appropriate scripts and the LDAP server. > > Are there any ports or mechanisms for hooking into the scripts and > programs that handle account modification (chpass, adduser and pw) or > does everyone typically do this sort of thing by hand? I take a fairly relaxed approach to this, with the following basic rules: uids/gids for real users must be in LDAP, and unique across the whole network; uids/gids for users created by ports are in /etc/passwd and are only unique per-server - I don't mind if two different servers have different uids/gids for the same daemon user, or the same uid/gid for two different daemon users. The problem is that some ports (isc-dhcp3-server springs to mind) simply add their user as the next available uid - which by default is one more than the highest uid currently in use. I deal with this by having two blocks of uids: 1000-1099 for daemons, and 1100 and up for LDAP users. I also create /etc/pw.conf containing the two lines reuseuids yes reusegids yes which means that pw(8) takes the lowest available uid, rather than the default. My biggest gripe with LDAP user management is that passwd(1) has the hooks to allow it to use PAM (which with appropriate modules and configuration would allow changing the LDAP password) but the code is diked out. HTH Jonathan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809020846.31216.jonathan%2Bfreebsd-questions>