Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 15 Mar 2020 13:12:26 +0700
From:      Victor Sudakov <>
Subject:   Re: Centralized user/group/whatever management
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Matthew Seaman wrote:
> On 14/03/2020 05:55, Victor Sudakov wrote:
> > There is one missing link which was never mentioned in the thread.
> > What's the bridge between nsswitch framework (or some other replacement
> > of getpwent(), getgrent() and friends) to be used with all those LDAP
> > solutions mentioned above?
> >=20
> You generally need to install pluggable modules for both PAM and NSS.
> There are several alternatives in the ports, but I like:
>     net/nss-pam-ldapd

Do you personally use it? You said you like it, so probably it's OK for

> Another important component is a lookup cache -- going out to a remote
> LDAP server every time you type 'ls -l' would be unusably slow.  So be
> sure to enable the name service cache daemon nscd(8) which is part of
> the base system.
> Various other system services can make use of LDAP -- for instance,
> sudo(8). These you'ld have to configure separately though.

Thanks a lot for you response with very useful information.=20
> That's where things like FreeIPA come in: it's a pre-packaged setup with
> all the stuff you hadn't realized you needed yet already dealt with.
> Like using LDAP to handle SSH authorized_keys through the
> sss_ssh_authorizedkeys command from security/sssd.  security/sssd is
> another provider of the PAM and NSS plugable modules so you would use it
> instead of net/nss-pam-ldapd

I looked briefly at security/sssd but found it having too many

Victor Sudakov,  VAS4-RIPE, VAS47-RIPN

Content-Type: application/pgp-signature; name="signature.asc"




Want to link to this message? Use this URL: <>