Re: LDAP and Account Management

On Monday 01 September 2008 23:33:11 Chris wrote:
I've toyed with LDAP accounts before to get them to work. But now I'm
going to put it into production.

I'm wondering though about user and group management. When ports are
installed on individual servers, users and groups are sometimes added
for daemons. It would be nice to receive notification and possibly
block and or redirect actions to appropriate scripts and the LDAP server.

Are there any ports or mechanisms for hooking into the scripts and
programs that handle account modification (chpass, adduser and pw) or
does everyone typically do this sort of thing by hand?

I take a fairly relaxed approach to this, with the following basic rules:

uids/gids for real users must be in LDAP, and unique across the whole network;

uids/gids for users created by ports are in /etc/passwd and are only unique
per-server - I don't mind if two different servers have different uids/gids
for the same daemon user, or the same uid/gid for two different daemon users.

The problem is that some ports (isc-dhcp3-server springs to mind) simply add
their user as the next available uid - which by default is one more than the
highest uid currently in use.

I deal with this by having two blocks of uids: 1000-1099 for daemons, and 1100
and up for LDAP users. I also create /etc/pw.conf containing the two lines

reuseuids yes
reusegids yes

which means that pw(8) takes the lowest available uid, rather than the
default.

My biggest gripe with LDAP user management is that passwd(1) has the hooks to
allow it to use PAM (which with appropriate modules and configuration would
allow changing the LDAP password) but the code is diked out.

HTH
Jonathan
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: multiple ports trees
    ... The issue which bit me when doing this was that many ports add a user using ... ``next available'' uid. ... and a human user in LDAP. ...
    (freebsd-questions)
  • Re: freebsd6 authenticating against openldap 2.4?
    ... machines to get LDAP authentication working. ... Every box was configured differently and ports trees had ... able to run shell accounts on different boxes on a per-user basis, ... LDAP server as user ldap, the system tries to consult all the sources ...
    (freebsd-questions)
  • Re: LDAP query failing
    ... following ports and the apache server. ... Does LDAP try to communicate over these ports? ... >> Any suggestions for options other than sAMAccountName to allow users to ...
    (microsoft.public.windows.server.active_directory)
  • Re: ports adding users
    ... UID, but in building KDE, comms/gnokii used pw groupadd and was allocated ... `my' GID, resulting in my ~ being group-owned by gnokii. ... my user accounts have the same UID and GID. ... Another is to arrange somehow that the ports infrastructure provide a pw.conf ...
    (freebsd-questions)
  • Re: messagebus user
    ... is the user "messagebus". ... What's this for and can the UID be changed? ... All the userids created by ports should be listed in /usr/ports/UIDs ... those files during the install, so you can't just edit that and be ...
    (freebsd-questions)