From owner-freebsd-questions@freebsd.org Sat Mar 14 09:40:31 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C862227C818 for ; Sat, 14 Mar 2020 09:40:31 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48fcxW20gxz48Gc for ; Sat, 14 Mar 2020 09:40:31 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: matthew/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 9401A1C017 for ; Sat, 14 Mar 2020 09:40:30 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (unknown [IPv6:2001:8b0:151:1:50e7:57c0:b573:eec6]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id A0171DF77 for ; Sat, 14 Mar 2020 09:40:27 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none (p=none dis=none) header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/A0171DF77; dkim=none; dkim-atps=neutral Subject: Re: Centralized user/group/whatever management To: freebsd-questions@freebsd.org References: <20200313091923.GA98495@admin.sibptus.ru> <2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE@theory14.net> <20200314055541.GF27346@admin.sibptus.ru> From: Matthew Seaman Autocrypt: addr=matthew@FreeBSD.org; prefer-encrypt=mutual; keydata= mQINBFJIL80BEADi7/VbnnErDU6pjEhI/SzEZ/HbDRkJ5g7HroAtqIRm6nj8ZwOAgZ/2ZnWn 5F+fXTuLsG0FLNtkd17FoVcuCi5e/GPliXI5cmamV7E1Yz4T8UsJ7RQolimyxVexccKd16Tc AA7B9bFlJSKkBUSD0buj7VjT07xWhRzu6Vgi5r0UjLALYJz977uZA0F1aOGOXREDEAOhdcNc kSNjynqAwDA6dCT1Elpi4key1fYjv4jyDF+GU/YXul2Y/rguA8FCkHd9vyym5eAsLQ5mG00V V9fkEHIpH5KorNVnl/ufHXnkZqmHAZVpFDcrshb7aZ/pL45PXyWgLj+e6etelgj3a2bZi0JF cVdXCnBZVP2oIyYblM11ugTbfCwodORU8a5KfPeztMdAtDr4e+32NTrPdPi5rLT+GUsYz+PL 3A3m3u8bdsFp40DlIrBtSByVjqERxcfhphrEB4J8BXHUG7OAtXkZMlW/PGKDwXJq0O6Z5Tcg YHAoEiSWbXiexHgXNJyP+sqnIlhLWhSJGeJ+C83wqI6oYlZUCW00NkPxcIHnQPV/z+5wQVci TMyaWC2YCIHz4Ljs+TnwWMz0E8PNFDfHVbQ0W4PRGV7gRAqxfL+yKufauIEGbEq8rNDbSwL3 bcUCxR4ZDlaUEUwT4J8naf7rjdgiEYHs2Ig3jeK1+ER4FPG1sQARAQABtCRNYXR0aGV3IFNl YW1hbiA8bWF0dGhld0BmcmVlYnNkLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgMC AQACHgECF4AWIQRyz6whebywJLW1RZADb2ye5/OevwUCWttU6gUJDFmAlAAKCRADb2ye5/Oe v7D/EACF6YL98cq6u20rai9gDCS+XY7HDGxowreE2HTAZXQmJTatSaEgiJMJUXfjXn7U/L+q zFhjOC2kiOze1yIWrptoxFa29lSUi3jWHNv7BM2bA4i7jjtwR8Ep2wSvDDl99jewDc6Ewot4 p598S5tZt4my9yGLeaCiN44IPg4U2ftnjcoONtrBOVyIHvVK5QL5r+wyqfdlySbAs026kJAZ rkwAL2ZVy3m1xNSmM8MojwSeX/5puv5JG2FoFb+VphZKCpgaqoEAN2jCqoJW9nnbAth1bYiM djiVr+k8pQl4CltFgpzSKxGbxXUSdPmEpA67FsV0BLIq5xy5VkvzoM+SD1hd3EQgfCyvFlf5 ClSwb5aQRf9ZqiyFAkVEtEOgF7S9q7H6MHyVFzrLfGzmTdpzu7jCCoYbZ7dX1aniatAxLKl6 EBgZxtLRu5bqalguv0FV1C8qnGLuvUMqp8RoJzLd8sWBGMTsUl/GOf+cEZl5u0q9vg9pBJxg KLi2NX3V4Bk8vkOUJFuk8ll7kRQ/7rrGLBkZNfcadb970jB5bvsxMhoc9P/2dIa1YzsGnqbE vG+JrZ2475hvs1jPZ/gdLWEcquGAhGjekfArLBbagqfo6gsuHnUD1K+HfVGQBkKJl+lNhbOR guHGT5hx/4RSYBVakz1RpM5dnk271lH0LxWeE4okSrkCDQRSUUKTARAAt6FH3HbDFoumOWUu JlDgOQs3wdp2n3IKv7gqzbDdgaoWW7hDTvjO0Cb6p2PGUKEoxMQQoIdDO0pQ9rgr4Sh4VSVC 9WMO/fUwqdrIs2nACIg4OwvNhIccW08S+N72f+yuXWOQ/dv79cwruE26/BEXgIP09MYcOWwc UCXzOoUR3er+jzcsN9uFjcsBVUJLIEru1askHRzCUa5P9S9GAFBwN49HC5IJWEzdLP27FjjO G5UG3+QZahHrjG1i6S3bIYXtaGsqNyfkp9Is7Wpj2kk+s9Ua+YMG/V5YVlbANIexa1yr75p1 W9biqXpCWnB3TaHSfI0G1t9w8K2qhR/Z1/YLIcRzZ2aHJnvbzJYw5Cs1jfNpFytbASsxj0rb ReouftlBvVWFRxsZ+oG1ZXL64/SVKMZAnfBNxd1uajp+HtoQtYoTu88la6zcdnAhOD5JdOnt N2VF8iQnDfPgkidfuSZ1C059xaRPTSRJBgMRDtOlDxgz7Pxx/7L2jwxRY1dq6NGioflY7CCp Gc7bi1K6xnf3lBL8X2nGpRAVsg9Lx1ShIWkgNbTAcPXpXcXlJ1xqz8HS8Twadh6gIfk/RNch BIED9lkVCKHYp/XQb8T8vMwn/kTWUm5WlPkQUFQN4D1b6+dJw4bwn/wiRS8did1MU1OytJB6 tljfEUCx0uKkzqr+33MAEQEAAYkEuwQYAQoAJgIbAhYhBHLPrCF5vLAktbVFkANvbJ7n856/ BQJa21VJBQkMUG42AonBvSAEGQEKAGYFAlJRQpNfFIAAAAAALgAoaXNzdWVyLWZwckBub3Rh dGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDE5RjE1NEVDQkYxMTJFNTA1NDRFM0Yz MDAwNTEzRjEwRTBBOUU0RTcACgkQAFE/EOCp5OdNFg//ZqeVdGoKkMvALPzZjGz84+6l0kcM xSN4TfWmec0YpSmDEzCw4/SZoGqHlZb8lcTevmNrNXg6c+wVw6P+Ycl20Nzb98Kt9C5sz+zG VmPPK+3O9gaPnEqlIKnnbxKXXNHQdd8Mf0UTpifMqX0IkWOqhe/tQKGoQ9+feKvLIaToIe/N josW6vJ9YAgFqZ0015zwbElhMNFmgDMOI2SgjBZ9ngP1U82Mqb7/7G9GxHtnwuJBSnPJgN8t av2O9uWPC0N8deyZBH4y9ERBPTFMc46wjkW030olcq7g4hZ55rpPIEyGQZCq4u1gGibbiQJZ EyUQT7BJm70/PeUr3uNjPlQODV/lF5TBvqGHEmlSQfo6Yb/QQx07CK9bvhUSO2XP3ybS8Jwo MZlgZzZcjiPiQF9ot6152/Cp/XrsKgtk+fg5ARZpyywRlQk1JCHRZvhgXIxqNYA04uwdPFcL I4vPiDaLS8mhXHLRZsSpHmIBqqrnam5Lq7iDc39UZrSJMM40oy3iAOI2B7AOCbzxRuEplJd3 E/tEqrnFGcPVN+h52ka74lEyfkwA2RrASWJJcXLN3/VsizEj8okepefzjU/UPnU8sirzeWWo 8Z4uKddovk//NwAPUJbee4vZLjYE6MWdpEoZP9CZXbtIPWuc9Djg16aHOgv44JPokDMaHA27 A4rw2KwJEANvbJ7n856/SPkP/1bGUde7lnRTNd8c0ZrUtEi+OOibKyh7BjLUpzlihj3rGl9l jAF0eCdBrL1We3MDDcyi+XO7VZLiecZTlG6LLXFvEFjYpyPRx3bXlWk1/ahEiBoLWxedseNd FrO+H5XX6ODmKFFLhXgpsXnAxtM6Mxmrx0CGW4qzfUi7Vsqj86gqlcet0/k5RqPMAhrGX5fN nQNWSAwumeFKM8UgDpKY0u7M2tS07B0ozXOSpqGTSJhX6Ld2Nl95CL3wbSGuh1pDUOysAnzK 5Rl/OQ9LtYpWomAKg6yn7gKYij5XmekAg/E+ybr5Gyx2PgMQUGtuNmBRWP1qKtVUbrOekiuN z7kpdrP7M2O7i/cxWjGpVtjDNWuGkFgY3c+sKKawBma81K4rg044nkGwFX98vfEHVGu+HOd3 D+Mv47nv4LQvzynBG/YflwaPmLhpw7HCPvpa4W7y8+5AKxDqWlM2NvrLwmwbmz9dQMGtjnNR m4uHfPX8AyzBoMtDrxNLIvDYlLqh+G2Q1shNNNdRNXn9Z1pvri6KAHmH9GlISuM/jQfItout +Gtx9QUlNX3aIsdScTLA3jnMOpHcALCGI+XMiBNaVuYUxHgHh+MNYhmjQZZqASBCvVj1Hyib DPZa/iQ4DBGBRlJb+8saPPqYVDQhosWSF20aJKwepZIIOFjpMgmCIqZAnqK4uQINBFJRQrgB EADUWFag56O3CaycayGght1rYWYz7P9/3s7OlqAuEAId8/kSz8jXzAb/Qb6t0247a2MD0gxn jgZQy2OiQOsOTrc31L6tUrLVATL5Q3oKIh9hOlNMA+cRjsgY3UmMaSw+Gftp64EJDBQwBXWT 7CSUEJw4PqzwMPiTHRkmqQfzdfNagFJVqZ0e+cznoLzI9WvkccwLW1kicBYEysX5yOXUQ9/P cKqRWcbxLFznJ16JsxL1DeUct5WRWUxECY2rM0t+AkNRa3NpzskiMUSzFhiGmJo9yyy1RS4d rjMhEn/IcM1sO21ZF/WWuUVkul65qngFnaFDDRQ5lU3AagWhLhmppmK/yabSVfqz38B1APoB WuldYprslTbAOJrL2xFtiH7m9VYbP2aGdwr9V/C27kiNWnm/lYzP9Z+dTFkxw2V+BOjiLWzD DD6pEE7YDhiPyoopadOyXtoJf3aK1OI+DBu3piBA/CDDDvavruM+3mjxUxcOo8w8rMaJzDUD LG0yOyhKWef3UW5ly3CKXe8+m/MZe0GavNBJt0ObLQpPmnn9b2kP/xS0ssszo8uzlfSMiGi9 AedAoRQ7vFXfI0MBb0M8gJ6Ht/+j1b5Al9ABeeA3PRuu+aBJwBRdFp4AV5BsCa0Qb3aqVJUP uBvtY56aWWB9sSfQ1qeu/loRxkJbHhaPJswscQARAQABiQI8BBgBCgAmAhsMFiEEcs+sIXm8 sCS1tUWQA29snufznr8FAlrbVUkFCQxQbhEACgkQA29snufznr+YBw//TJtAC9d/FYQQHKQg /QOEkcAL8Qx4HA2SICnhKqv64jPcYIUYocOO8Qayh+IVDa6MGkbsWdweUFuexMsW+17dqETf QjUApx32TUwF44WgIEfARLW2zRdRcXfsT4A2sQJCvNJrJnH3lywiJi+V848Q4sC3sSJREpcJ d07oc2jxSKZyYZ1DBPfK1MyiwcBt2uFCTXdyFMham2aYLDP2JYvFP08tjTUAIKhe4B0bPTtl dCf5sH5q8xrpaHnKHf0n7qMmK7NtGW/9R6WiCruiNsLnO95fms1tzKKfA4QXIYCEWl8XsRKw p51HZDjQu/KxPsjm6BL4eThnae9t3Zs5J0LiPxoFbN+pW7anft3YCeezB8+gus7I1Rn5yJMR yYRRVHtZZTBDQfoDqHgLY14GYtFGOT0IR/OuAzYM1CoMvVExgqVWixDwF5RH1OHO1TANqTGc rRm1lvasCWIphpoQVtkN4/PXGa+NhzsRmr/c5OUYxQNroE8cdsK8mOIBRz9D2JpF7d2nr1X+ vA4zk2JL61aCnc62BfSYNZWhCcOPJZUhFT9BqAkew0kkJzQ3jwHGAhfcfozTHoFsD08qAW0O UriEtH+EOXl+dYbjlNUjFPjJu49cZbtp/1TpsYOBdME1QLM1TPanYXa7tb+IrRZN+Oi9i9VV ym16DK7q21k3j0qRC0s= Message-ID: <41ff5211-2ec5-d027-bb12-183afc4ad397@FreeBSD.org> Date: Sat, 14 Mar 2020 09:40:26 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: <20200314055541.GF27346@admin.sibptus.ru> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="W1rYwUtyWuOM2oJRC2ovwC4fn7M4biGKQ" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Mar 2020 09:40:31 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --W1rYwUtyWuOM2oJRC2ovwC4fn7M4biGKQ Content-Type: multipart/mixed; boundary="yzIihKmjShw7zBgQMA0R76ngU0M3fQqrB" --yzIihKmjShw7zBgQMA0R76ngU0M3fQqrB Content-Type: text/plain; charset=windows-1252 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 14/03/2020 05:55, Victor Sudakov wrote: > There is one missing link which was never mentioned in the thread. > What's the bridge between nsswitch framework (or some other replacement= > of getpwent(), getgrent() and friends) to be used with all those LDAP > solutions mentioned above? >=20 You generally need to install pluggable modules for both PAM and NSS. There are several alternatives in the ports, but I like: net/nss-pam-ldapd Another important component is a lookup cache -- going out to a remote LDAP server every time you type 'ls -l' would be unusably slow. So be sure to enable the name service cache daemon nscd(8) which is part of the base system. Various other system services can make use of LDAP -- for instance, sudo(8). These you'ld have to configure separately though. That's where things like FreeIPA come in: it's a pre-packaged setup with all the stuff you hadn't realized you needed yet already dealt with. Like using LDAP to handle SSH authorized_keys through the sss_ssh_authorizedkeys command from security/sssd. security/sssd is another provider of the PAM and NSS plugable modules so you would use it instead of net/nss-pam-ldapd Cheers, Matthew --yzIihKmjShw7zBgQMA0R76ngU0M3fQqrB-- --W1rYwUtyWuOM2oJRC2ovwC4fn7M4biGKQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEGfFU7L8RLlBUTj8wAFE/EOCp5OcFAl5spopfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDE5 RjE1NEVDQkYxMTJFNTA1NDRFM0YzMDAwNTEzRjEwRTBBOUU0RTcACgkQAFE/EOCp 5OebnRAAiZa+iQAvb7qr5mxcharZrvsGR6XkdY3iAdZF+KT/i2m35L/PC9qelY3O +RSXXoZ5gr31U55sFVRfimLBv1YtgxoCJfGYSksO2mb8P5QDV9xEJPUBHMQ9aiy+ naaBNR/BABkssgKdpOQ9BeG4hmuKsf3run/ndTy4JqVwwODOKx6caU8LpVgflVuP Msrc7BDZ7L0pUMDWtIRBUj9lnx4X7ex+gKP9b7UFwPEhzp1YdWzbvY+QatB3zNd9 npO6j0WZbUfXK8rKNIpiRf+w6oRDkPV7DHM+gmJRdakCD3elue2gnPsefqlpIWVC qNNjzWv/cRWrBnyVknHrFCUehPKazSwOasD27+1c+aozvZ7SPOp9shgVlYhDIsQP O60c8trQkPW0j/+0pBCAAHGSEmZO6Kn+l+kAYePyjeu4UFca4MmvcrzR59drSdK7 Sm0O2CfKzNsCGARbJ8ptMCSZYVqv/jBOs4gBsF8QsyQnEy3mt6Qb78ozQumwcfOc Am2Cj7239AhsFAfDBPbdS3/lzZ/eZ2fSaROhavfLNW4ofQwtcGHoOQUR5qu4AnYV XFFTswRHjAMDt2gwg2FsgrKHwjjwpCswKER1WJH54PzzRxcyVelCLXMhgZ2Fz8Zl BTU4pSbx2zJblOaRTzpPTHXoWFeDT4ta6FwPtDVaDgHipfEQJQc= =wYHR -----END PGP SIGNATURE----- --W1rYwUtyWuOM2oJRC2ovwC4fn7M4biGKQ--