LDAP and Account Management
jonathan+freebsd-questions at hst.org.za
Tue Sep 2 06:43:20 UTC 2008
On Monday 01 September 2008 23:33:11 Chris wrote:
> I've toyed with LDAP accounts before to get them to work. But now I'm
> going to put it into production.
> I'm wondering though about user and group management. When ports are
> installed on individual servers, users and groups are sometimes added
> for daemons. It would be nice to receive notification and possibly
> block and or redirect actions to appropriate scripts and the LDAP server.
> Are there any ports or mechanisms for hooking into the scripts and
> programs that handle account modification (chpass, adduser and pw) or
> does everyone typically do this sort of thing by hand?
I take a fairly relaxed approach to this, with the following basic rules:
uids/gids for real users must be in LDAP, and unique across the whole network;
uids/gids for users created by ports are in /etc/passwd and are only unique
per-server - I don't mind if two different servers have different uids/gids
for the same daemon user, or the same uid/gid for two different daemon users.
The problem is that some ports (isc-dhcp3-server springs to mind) simply add
their user as the next available uid - which by default is one more than the
highest uid currently in use.
I deal with this by having two blocks of uids: 1000-1099 for daemons, and 1100
and up for LDAP users. I also create /etc/pw.conf containing the two lines
which means that pw(8) takes the lowest available uid, rather than the
My biggest gripe with LDAP user management is that passwd(1) has the hooks to
allow it to use PAM (which with appropriate modules and configuration would
allow changing the LDAP password) but the code is diked out.
More information about the freebsd-questions