Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 15 Mar 2020 13:12:26 +0700
From:      Victor Sudakov <vas@sibptus.ru>
To:        freebsd-questions@freebsd.org
Subject:   Re: Centralized user/group/whatever management
Message-ID:  <20200315061226.GB64075@admin.sibptus.ru>
In-Reply-To: <41ff5211-2ec5-d027-bb12-183afc4ad397@FreeBSD.org>
References:  <20200313091923.GA98495@admin.sibptus.ru> <2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE@theory14.net> <20200314055541.GF27346@admin.sibptus.ru> <41ff5211-2ec5-d027-bb12-183afc4ad397@FreeBSD.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--9zSXsLTf0vkW971A
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Matthew Seaman wrote:
> On 14/03/2020 05:55, Victor Sudakov wrote:
> > There is one missing link which was never mentioned in the thread.
> > What's the bridge between nsswitch framework (or some other replacement
> > of getpwent(), getgrent() and friends) to be used with all those LDAP
> > solutions mentioned above?
> >=20
>=20
> You generally need to install pluggable modules for both PAM and NSS.
> There are several alternatives in the ports, but I like:
>=20
>     net/nss-pam-ldapd

Do you personally use it? You said you like it, so probably it's OK for
production?

>=20
> Another important component is a lookup cache -- going out to a remote
> LDAP server every time you type 'ls -l' would be unusably slow.  So be
> sure to enable the name service cache daemon nscd(8) which is part of
> the base system.
>=20
> Various other system services can make use of LDAP -- for instance,
> sudo(8). These you'ld have to configure separately though.

Thanks a lot for you response with very useful information.=20
>=20
> That's where things like FreeIPA come in: it's a pre-packaged setup with
> all the stuff you hadn't realized you needed yet already dealt with.
> Like using LDAP to handle SSH authorized_keys through the
> sss_ssh_authorizedkeys command from security/sssd.  security/sssd is
> another provider of the PAM and NSS plugable modules so you would use it
> instead of net/nss-pam-ldapd

I looked briefly at security/sssd but found it having too many
dependencies.

--=20
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

--9zSXsLTf0vkW971A
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJebcdKAAoJEA2k8lmbXsY0c10IAKeTbbYXaO5EDM/mhaILzdTu
589pUybrYQnCvDVeXGfpmmYlsJBslkYatSCSp7vcVBt2Cuh7E0HrQz9VhOiZ5WA3
YVr1UZymvjs3lYUgzbA0kBkCa1E5abOTcxTXZwQMC5CGBMp6VsDWCvTWZclj9eRF
IuT5cMI/zZK16BHHAk6jdyrxl7wfItRy2urfEx6NQdwQxaGrWv0kxhhpGc8XJpvU
0uOjNutQT3vGZ4lcnhsHI7EDWiHacA4ZhD5b5Lvfb+xDbhyrbKPJ4XSvUhbCF1vl
XSbcbni5yKs8FVuWJCXDQEjNQsoOIWarX0ozquqGVKiU60vmmnY/E8ue+aQSubg=
=IFvI
-----END PGP SIGNATURE-----

--9zSXsLTf0vkW971A--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20200315061226.GB64075>