LDAP and Account Management

[Jonathan McKeown]

On Monday 01 September 2008 23:33:11 Chris wrote:
> I've toyed with LDAP accounts before to get them to work.  But now I'm
> going to put it into production.
>
> I'm wondering though about user and group management.  When ports are
> installed on individual servers, users and groups are sometimes added
> for daemons.  It would be nice to receive notification and possibly
> block and or redirect actions to appropriate scripts and the LDAP server.
>
> Are there any ports or mechanisms for hooking into the scripts and
> programs that handle account modification (chpass, adduser and pw) or
> does everyone typically do this sort of thing by hand?

I take a fairly relaxed approach to this, with the following basic rules:

uids/gids for real users must be in LDAP, and unique across the whole network;

uids/gids for users created by ports are in /etc/passwd and are only unique 
per-server - I don't mind if two different servers have different uids/gids 
for the same daemon user, or the same uid/gid for two different daemon users.

The problem is that some ports (isc-dhcp3-server springs to mind) simply add 
their user as the next available uid - which by default is one more than the 
highest uid currently in use.

I deal with this by having two blocks of uids: 1000-1099 for daemons, and 1100 
and up for LDAP users. I also create /etc/pw.conf containing the two lines

reuseuids yes
reusegids yes

which means that pw(8) takes the lowest available uid, rather than the 
default.

My biggest gripe with LDAP user management is that passwd(1) has the hooks to 
allow it to use PAM (which with appropriate modules and configuration would 
allow changing the LDAP password) but the code is diked out.

HTH
Jonathan