[colug-432] automatic LDAP add

Rick Troth rmt at casita.net
Thu Oct 20 15:43:42 EDT 2016


Thanks much for the responses. I'm really glad I asked.

To answer Roberto's question, my employer produces an appliance as part
of our "SecureData" portfolio. We try to get customers to treat it as
... just that, an appliance. But they all know that under the covers
it's just Linux, so they often want to tweak it to fit their "how we
manage Linux" model, which varies.

The appliance is CentOS based, but I also have an OpenSUSE guest at HQ
that I need to wire-in with our AD space there. Naturally this game is
very different between RH and SUSE. An LDAP question from a customer
(w/r/t the appliance) prompted me to revisit my personal server, so it
all converges now.


On 10/20/2016 01:53 PM, Brian wrote:
> When I convert my Linux servers to use LDAP, I get the following line
> added to the end of /etc/passwd:
>
> "+::::::".

Yep, that's the one! Maybe that magic cookie gets used by runtime and
not by LDAP or Kerberos or YP specifically. I'll look for it on the
CentOS and OpenSUSE boxes I've been tinkering with.


> And Jim is referring to another PAM module that will create your home
> directory for you.  That is managed by a line in your default session
> config file that reads
>
> session  optional       pam_mkhomedir.so

YESSS!!! That would be the piece I'm looking for.


> If not everyone in your LDAP domain should have access to every
> server, you should also have a line in your default account PAM config
> file that references pam_access.so:
>
> account  required       pam_access.so
>
> I think Red Hat does this by default.  I have to add the line manually
> on SuSE servers.  You can then edit your /etc/security/access.conf
> file to allow LDAP groups or users (you would need to add any locally
> defined users, also) to login to the system.

Awesome. For my HQ guest the whole AD/LDAP domain is open. But for the
customer case things need to be more selective.

Portions deleted in this reply, but I'm taking notes. Thanks very much,
gentlemen.

-- R; <><







-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20161020/b5a29fc5/attachment.html 


More information about the colug-432 mailing list