LDAP and Linux compatibility

Michael Collette metrol.net at gmail.com
Wed Mar 23 11:25:34 PST 2005

Well, came up with a solution as well as a new problem.  Thought I'd
at least share the solution here.

In /etc/profile I'm calling a shell script called inituser.sh.  Got
this running to insure the user's basic environment is all setup.  In
this script I now have it write to a file in /tmp with a line that
looks like...

bob:*:1000:1000:Bob Smith:/home/bob

I then have a symbolic link from this file to
/compat/linux/etc/passwd.  With this in play, FreeBSD is properly
performing an LDAP lookup, and Linux apps have somewhere to look for a
proper user id.  There are some security concerns I have with this,
and it sure feels like a nasty little hack, but it seems to work for
the moment.

Now my problem has to do with linux-fontconfig.  Neither acroread7 nor
reaplay will run due to complaining about fontconfig not being setup
properly.  Still futzing with this one.  Thankfully though, neither
app is still complaining about not being able to lookup a user id.

Later on,

On Sun, 20 Mar 2005 13:37:43 -0800, Michael Collette
<metrol.net at gmail.com> wrote:
> On 20 Mar 2005 09:54:55 -0500, Lowell Gilbert
> <freebsd-security-local at be-well.ilk.org> wrote:
> > Michael Collette <metrol.net at gmail.com> writes:
> >
> > > Please excuse a wee bit of cross posting here.  It seems that the
> > > questions list may not be the appropriate place for this as I've found
> > > a number of unanswered posts involving this topic.
> >
> > On the -ports list, somebody pointed out that the linux-base ports
> > include advice to to edit /compat/linux/etc/yp.conf (I'm using NIS).
> > I haven't tried this yet, but it makes sense that it would be
> > necessary.  For your case with LDAP, I suspect you would need to
> > configure nsswitch.conf, probably the same way as the FreeBSD version
> > in your real /etc directory.
> The problem is, NIS is a built in feature of both FreeBSD and Linux.
> Configuring FreeBSD to utilize LDAP involves at least 4 additional
> ports.  You need pam_ldap, nss_ldap, openldap-client, and openssl.
> The 4th of course being optional but highly desirable for security
> reasons.
> Without this additional software neither FreeBSD nor the compat/Linux
> install will do a lookup to an LDAP directory.  It wouldn't know how,
> as you have to properly configure both pam_ldap and nss_ldap so they
> know how to query the directory.
> I would think that the most desirable behavior would be to have any
> Linux calls to getpwuid_r() answered by the FreeBSD libraries rather
> than a direct attempt to look at the passwd database.  Well, assuming
> that's what is happening.  It just seems redundant to have to
> configure authentication for the base system, then do it again for the
> Linux compatiblity.
> Later on,
> --
> "When you come to a fork in the road....Take it"
> - Yogi Berra

"When you come to a fork in the road....Take it"
- Yogi Berra

More information about the freebsd-security mailing list