Centralized user/group/whatever management
Victor Sudakov
vas at sibptus.ru
Sun Mar 15 06:12:28 UTC 2020
Matthew Seaman wrote:
> On 14/03/2020 05:55, Victor Sudakov wrote:
> > There is one missing link which was never mentioned in the thread.
> > What's the bridge between nsswitch framework (or some other replacement
> > of getpwent(), getgrent() and friends) to be used with all those LDAP
> > solutions mentioned above?
> >
>
> You generally need to install pluggable modules for both PAM and NSS.
> There are several alternatives in the ports, but I like:
>
> net/nss-pam-ldapd
Do you personally use it? You said you like it, so probably it's OK for
production?
>
> Another important component is a lookup cache -- going out to a remote
> LDAP server every time you type 'ls -l' would be unusably slow. So be
> sure to enable the name service cache daemon nscd(8) which is part of
> the base system.
>
> Various other system services can make use of LDAP -- for instance,
> sudo(8). These you'ld have to configure separately though.
Thanks a lot for you response with very useful information.
>
> That's where things like FreeIPA come in: it's a pre-packaged setup with
> all the stuff you hadn't realized you needed yet already dealt with.
> Like using LDAP to handle SSH authorized_keys through the
> sss_ssh_authorizedkeys command from security/sssd. security/sssd is
> another provider of the PAM and NSS plugable modules so you would use it
> instead of net/nss-pam-ldapd
I looked briefly at security/sssd but found it having too many
dependencies.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20200315/cfe187e1/attachment.sig>
More information about the freebsd-questions
mailing list