Centralized user/group/whatever management
Matthew Seaman
matthew at FreeBSD.org
Sat Mar 14 09:40:31 UTC 2020
On 14/03/2020 05:55, Victor Sudakov wrote:
> There is one missing link which was never mentioned in the thread.
> What's the bridge between nsswitch framework (or some other replacement
> of getpwent(), getgrent() and friends) to be used with all those LDAP
> solutions mentioned above?
>
You generally need to install pluggable modules for both PAM and NSS.
There are several alternatives in the ports, but I like:
net/nss-pam-ldapd
Another important component is a lookup cache -- going out to a remote
LDAP server every time you type 'ls -l' would be unusably slow. So be
sure to enable the name service cache daemon nscd(8) which is part of
the base system.
Various other system services can make use of LDAP -- for instance,
sudo(8). These you'ld have to configure separately though.
That's where things like FreeIPA come in: it's a pre-packaged setup with
all the stuff you hadn't realized you needed yet already dealt with.
Like using LDAP to handle SSH authorized_keys through the
sss_ssh_authorizedkeys command from security/sssd. security/sssd is
another provider of the PAM and NSS plugable modules so you would use it
instead of net/nss-pam-ldapd
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20200314/e53fe8d6/attachment.sig>
More information about the freebsd-questions
mailing list