[colug-432] automatic LDAP add

Brian Miller bnmille at gmail.com
Thu Oct 20 16:02:19 EDT 2016


On 10/20/2016 03:43 PM, Rick Troth wrote:
> Thanks much for the responses. I'm really glad I asked.
>
> To answer Roberto's question, my employer produces an appliance as part
> of our "SecureData" portfolio. We try to get customers to treat it as
> ... just that, an appliance. But they all know that under the covers
> it's just Linux, so they often want to tweak it to fit their "how we
> manage Linux" model, which varies.
>
> The appliance is CentOS based, but I also have an OpenSUSE guest at HQ
> that I need to wire-in with our AD space there. Naturally this game is
> very different between RH and SUSE. An LDAP question from a customer
> (w/r/t the appliance) prompted me to revisit my personal server, so it
> all converges now.
>
>
> On 10/20/2016 01:53 PM, Brian wrote:
>> When I convert my Linux servers to use LDAP, I get the following line
>> added to the end of /etc/passwd:
>>
>> "+::::::".
>
> Yep, that's the one! Maybe that magic cookie gets used by runtime and
> not by LDAP or Kerberos or YP specifically. I'll look for it on the
> CentOS and OpenSUSE boxes I've been tinkering with.
>
>
>> And Jim is referring to another PAM module that will create your home
>> directory for you.  That is managed by a line in your default session
>> config file that reads
>>
>> session  optional       pam_mkhomedir.so
>
> YESSS!!! That would be the piece I'm looking for.
>
>
>> If not everyone in your LDAP domain should have access to every
>> server, you should also have a line in your default account PAM config
>> file that references pam_access.so:
>>
>> account  required       pam_access.so
>>
>> I think Red Hat does this by default.  I have to add the line manually
>> on SuSE servers.  You can then edit your /etc/security/access.conf
>> file to allow LDAP groups or users (you would need to add any locally
>> defined users, also) to login to the system.
>
> Awesome. For my HQ guest the whole AD/LDAP domain is open. But for the
> customer case things need to be more selective.
>
> Portions deleted in this reply, but I'm taking notes. Thanks very much,
> gentlemen.
>
> -- R; <><
>
>
>
>
>
>
>
>
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>

I remember one more gotcha with access.conf.  I can't find a way to 
specify an LDAP group.  And the process searches first for user names, 
and only if there are no matching user names, then it will search for 
groups.  So if you plan to use LDAP groups for controlling access, it is 
really important that your naming conventions prevent you from having a 
group name match a user name.



More information about the colug-432 mailing list