Date: Sat, 14 Mar 2020 09:40:26 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: Centralized user/group/whatever management Message-ID: <41ff5211-2ec5-d027-bb12-183afc4ad397@FreeBSD.org> In-Reply-To: <20200314055541.GF27346@admin.sibptus.ru> References: <20200313091923.GA98495@admin.sibptus.ru> <2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE@theory14.net> <20200314055541.GF27346@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--W1rYwUtyWuOM2oJRC2ovwC4fn7M4biGKQ
Content-Type: multipart/mixed; boundary="yzIihKmjShw7zBgQMA0R76ngU0M3fQqrB"
--yzIihKmjShw7zBgQMA0R76ngU0M3fQqrB
Content-Type: text/plain; charset=windows-1252
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable
On 14/03/2020 05:55, Victor Sudakov wrote:
> There is one missing link which was never mentioned in the thread.
> What's the bridge between nsswitch framework (or some other replacement=
> of getpwent(), getgrent() and friends) to be used with all those LDAP
> solutions mentioned above?
>=20
You generally need to install pluggable modules for both PAM and NSS.
There are several alternatives in the ports, but I like:
net/nss-pam-ldapd
Another important component is a lookup cache -- going out to a remote
LDAP server every time you type 'ls -l' would be unusably slow. So be
sure to enable the name service cache daemon nscd(8) which is part of
the base system.
Various other system services can make use of LDAP -- for instance,
sudo(8). These you'ld have to configure separately though.
That's where things like FreeIPA come in: it's a pre-packaged setup with
all the stuff you hadn't realized you needed yet already dealt with.
Like using LDAP to handle SSH authorized_keys through the
sss_ssh_authorizedkeys command from security/sssd. security/sssd is
another provider of the PAM and NSS plugable modules so you would use it
instead of net/nss-pam-ldapd
Cheers,
Matthew
--yzIihKmjShw7zBgQMA0R76ngU0M3fQqrB--
--W1rYwUtyWuOM2oJRC2ovwC4fn7M4biGKQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEGfFU7L8RLlBUTj8wAFE/EOCp5OcFAl5spopfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDE5
RjE1NEVDQkYxMTJFNTA1NDRFM0YzMDAwNTEzRjEwRTBBOUU0RTcACgkQAFE/EOCp
5OebnRAAiZa+iQAvb7qr5mxcharZrvsGR6XkdY3iAdZF+KT/i2m35L/PC9qelY3O
+RSXXoZ5gr31U55sFVRfimLBv1YtgxoCJfGYSksO2mb8P5QDV9xEJPUBHMQ9aiy+
naaBNR/BABkssgKdpOQ9BeG4hmuKsf3run/ndTy4JqVwwODOKx6caU8LpVgflVuP
Msrc7BDZ7L0pUMDWtIRBUj9lnx4X7ex+gKP9b7UFwPEhzp1YdWzbvY+QatB3zNd9
npO6j0WZbUfXK8rKNIpiRf+w6oRDkPV7DHM+gmJRdakCD3elue2gnPsefqlpIWVC
qNNjzWv/cRWrBnyVknHrFCUehPKazSwOasD27+1c+aozvZ7SPOp9shgVlYhDIsQP
O60c8trQkPW0j/+0pBCAAHGSEmZO6Kn+l+kAYePyjeu4UFca4MmvcrzR59drSdK7
Sm0O2CfKzNsCGARbJ8ptMCSZYVqv/jBOs4gBsF8QsyQnEy3mt6Qb78ozQumwcfOc
Am2Cj7239AhsFAfDBPbdS3/lzZ/eZ2fSaROhavfLNW4ofQwtcGHoOQUR5qu4AnYV
XFFTswRHjAMDt2gwg2FsgrKHwjjwpCswKER1WJH54PzzRxcyVelCLXMhgZ2Fz8Zl
BTU4pSbx2zJblOaRTzpPTHXoWFeDT4ta6FwPtDVaDgHipfEQJQc=
=wYHR
-----END PGP SIGNATURE-----
--W1rYwUtyWuOM2oJRC2ovwC4fn7M4biGKQ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41ff5211-2ec5-d027-bb12-183afc4ad397>