[colug-432] automatic LDAP add
Brian
bnmille at gmail.com
Thu Oct 20 13:53:00 EDT 2016
Rick,
When I convert my Linux servers to use LDAP, I get the following line added
to the end of /etc/passwd:
"+::::::".
Interestingly, I don't get anything at the end of /etc/group, even though
LDAP groups are freely recognized.
But if you're using PAM, then your default PAM configuration files should
have a line something like this in it:
account required pam_ldap.so use_first_pass
Depending on where the line is in the file(s), the "required" may be
replaced with "sufficient". In my case, the pam_ldap.so line shows up as
the last line in the file, and I have a line above it that allows local
defined accounts to login.
And Jim is referring to another PAM module that will create your home
directory for you. That is managed by a line in your default session
config file that reads
session optional pam_mkhomedir.so
If not everyone in your LDAP domain should have access to every server, you
should also have a line in your default account PAM config file that
references pam_access.so:
account required pam_access.so
I think Red Hat does this by default. I have to add the line manually on
SuSE servers. You can then edit your /etc/security/access.conf file to
allow LDAP groups or users (you would need to add any locally defined
users, also) to login to the system.
Important issues that I've run into:
First, if you don't have a line allowing root to login locally, CRON stops
working:
+ : root : LOCAL
Second, you need to make sure you have a space both before and after each
":"
Third, at the end of the access.conf file, you add
- : ALL : ALL
and you prevent anyone not specifically allowed from logging in.
On Wed, Oct 19, 2016 at 10:47 PM, Jim Wildman <jim at rossberry.com> wrote:
> Or do you mean the "create home directory" option?
>
> If a machine is joined to LDAP and pam is setup correctly, then all
> the users in the specified LDAP search domain will be available
> to the machine. If their home directories or automount is not
> configured, then they will get errors when they login.
>
> On Wed, 19 Oct 2016, Roberto C. Sánchez wrote:
>
> On Wed, Oct 19, 2016 at 06:52:53PM -0400, Rick Troth wrote:
>>
>>> friends --
>>>
>>> I'm looking, and will continue, but if anyone happens to know:
>>> What's the incantation to coax LDAP/Kerberos to automatically add
>>> users?
>>> For example, in the YP/NIS days, it was that we add the "+" lines at
>>> the
>>> end of /etc/passwd (and perhaps /etc/group). With that, all users
>>> defined
>>> in the domain get sign-on rights. How do I do the same in LDAP space?
>>>
>>> Rick,
>>
>> Can you please explain a bit further what you mean by "automatically add
>> users"? Do you mean that local users on a system get automatically
>> added to LDAP or that LDAP users get automatically added to the local
>> system?
>>
>> Regards,
>>
>> -Roberto
>>
>>
>>
> ----------------------------------------------------------------------
> Jim Wildman, CISSP, RHCE jim at rossberry.com http://www.rossberry.net
> "Society in every state is a blessing, but Government, even in its best
> state, is a necessary evil; in its worst state, an intolerable one."
> Thomas Paine
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20161020/9384d616/attachment.html
More information about the colug-432
mailing list