[colug-432] automatic LDAP add

Brian bnmille at gmail.com
Thu Oct 20 13:53:00 EDT 2016


Rick,
When I convert my Linux servers to use LDAP, I get the following line added
to the end of /etc/passwd:

"+::::::".

Interestingly, I don't get anything at the end of /etc/group, even though
LDAP groups are freely recognized.

But if you're using PAM, then your default PAM configuration files should
have a line something like this in it:

account required        pam_ldap.so     use_first_pass

Depending on where the line is in the file(s), the "required" may be
replaced with "sufficient".  In my case, the pam_ldap.so line shows up as
the last line in the file, and I have a line above it that allows local
defined accounts to login.

And Jim is referring to another PAM module that will create your home
directory for you.  That is managed by a line in your default session
config file that reads

session  optional       pam_mkhomedir.so

If not everyone in your LDAP domain should have access to every server, you
should also have a line in your default account PAM config file that
references pam_access.so:

account  required       pam_access.so

I think Red Hat does this by default.  I have to add the line manually on
SuSE servers.  You can then edit your /etc/security/access.conf file to
allow LDAP groups or users (you would need to add any locally defined
users, also) to login to the system.

Important issues that I've run into:

First, if you don't have a line allowing root to login locally, CRON stops
working:

+  :  root   :  LOCAL

Second, you need to make sure you have a space both before and after each
":"

Third, at the end of the access.conf file, you add

-  :  ALL  :  ALL

and you prevent anyone not specifically allowed from logging in.











On Wed, Oct 19, 2016 at 10:47 PM, Jim Wildman <jim at rossberry.com> wrote:

> Or do you mean the "create home directory" option?
>
> If a machine is joined to LDAP and pam is setup correctly, then all
> the users in the specified LDAP search domain will be available
> to the machine.  If their home directories or automount is not
> configured, then they will get errors when they login.
>
> On Wed, 19 Oct 2016, Roberto C. Sánchez wrote:
>
> On Wed, Oct 19, 2016 at 06:52:53PM -0400, Rick Troth wrote:
>>
>>>    friends --
>>>
>>>    I'm looking, and will continue, but if anyone happens to know:
>>>    What's the incantation to coax LDAP/Kerberos to automatically add
>>> users?
>>>    For example, in the YP/NIS days, it was that we add the "+" lines at
>>> the
>>>    end of /etc/passwd (and perhaps /etc/group). With that, all users
>>> defined
>>>    in the domain get sign-on rights. How do I do the same in LDAP space?
>>>
>>> Rick,
>>
>> Can you please explain a bit further what you mean by "automatically add
>> users"?  Do you mean that local users on a system get automatically
>> added to LDAP or that LDAP users get automatically added to the local
>> system?
>>
>> Regards,
>>
>> -Roberto
>>
>>
>>
> ----------------------------------------------------------------------
> Jim Wildman, CISSP, RHCE       jim at rossberry.com http://www.rossberry.net
> "Society in every state is a blessing, but Government, even in its best
> state, is a necessary evil; in its worst state, an intolerable one."
> Thomas Paine
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20161020/9384d616/attachment.html 


More information about the colug-432 mailing list