Date: Sun, 15 Mar 2020 13:12:26 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-questions@freebsd.org Subject: Re: Centralized user/group/whatever management Message-ID: <20200315061226.GB64075@admin.sibptus.ru> In-Reply-To: <41ff5211-2ec5-d027-bb12-183afc4ad397@FreeBSD.org> References: <20200313091923.GA98495@admin.sibptus.ru> <2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE@theory14.net> <20200314055541.GF27346@admin.sibptus.ru> <41ff5211-2ec5-d027-bb12-183afc4ad397@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--9zSXsLTf0vkW971A Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Matthew Seaman wrote: > On 14/03/2020 05:55, Victor Sudakov wrote: > > There is one missing link which was never mentioned in the thread. > > What's the bridge between nsswitch framework (or some other replacement > > of getpwent(), getgrent() and friends) to be used with all those LDAP > > solutions mentioned above? > >=20 >=20 > You generally need to install pluggable modules for both PAM and NSS. > There are several alternatives in the ports, but I like: >=20 > net/nss-pam-ldapd Do you personally use it? You said you like it, so probably it's OK for production? >=20 > Another important component is a lookup cache -- going out to a remote > LDAP server every time you type 'ls -l' would be unusably slow. So be > sure to enable the name service cache daemon nscd(8) which is part of > the base system. >=20 > Various other system services can make use of LDAP -- for instance, > sudo(8). These you'ld have to configure separately though. Thanks a lot for you response with very useful information.=20 >=20 > That's where things like FreeIPA come in: it's a pre-packaged setup with > all the stuff you hadn't realized you needed yet already dealt with. > Like using LDAP to handle SSH authorized_keys through the > sss_ssh_authorizedkeys command from security/sssd. security/sssd is > another provider of the PAM and NSS plugable modules so you would use it > instead of net/nss-pam-ldapd I looked briefly at security/sssd but found it having too many dependencies. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --9zSXsLTf0vkW971A Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJebcdKAAoJEA2k8lmbXsY0c10IAKeTbbYXaO5EDM/mhaILzdTu 589pUybrYQnCvDVeXGfpmmYlsJBslkYatSCSp7vcVBt2Cuh7E0HrQz9VhOiZ5WA3 YVr1UZymvjs3lYUgzbA0kBkCa1E5abOTcxTXZwQMC5CGBMp6VsDWCvTWZclj9eRF IuT5cMI/zZK16BHHAk6jdyrxl7wfItRy2urfEx6NQdwQxaGrWv0kxhhpGc8XJpvU 0uOjNutQT3vGZ4lcnhsHI7EDWiHacA4ZhD5b5Lvfb+xDbhyrbKPJ4XSvUhbCF1vl XSbcbni5yKs8FVuWJCXDQEjNQsoOIWarX0ozquqGVKiU60vmmnY/E8ue+aQSubg= =IFvI -----END PGP SIGNATURE----- --9zSXsLTf0vkW971A--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200315061226.GB64075>