<div dir="ltr"><div><div><div><div><div><div><div><div><div>Rick,<br></div>When I convert my Linux servers to use LDAP, I get the following line added to the end of /etc/passwd:<br><br>"+::::::".<br><br></div>Interestingly, I don't get anything at the end of /etc/group, even though LDAP groups are freely recognized.<br><br></div>But if you're using PAM, then your default PAM configuration files should have a line something like this in it:<br><br>account required pam_ldap.so use_first_pass<br><br></div>Depending on where the line is in the file(s), the "required" may be replaced with "sufficient". In my case, the pam_ldap.so line shows up as the last line in the file, and I have a line above it that allows local defined accounts to login.<br><br></div>And Jim is referring to another PAM module that will create your home directory for you. That is managed by a line in your default session config file that reads <br><br>session optional pam_mkhomedir.so<br><br></div>If not everyone in your LDAP domain should have access to every server, you should also have a line in your default account PAM config file that references pam_access.so:<br><br>account required pam_access.so<br><br></div>I think Red Hat does this by default. I have to add the line manually on SuSE servers. You can then edit your /etc/security/access.conf file to allow LDAP groups or users (you would need to add any locally defined users, also) to login to the system.<br><br>Important issues that I've run into:<br><br>First, if you don't have a line allowing root to login locally, CRON stops working:<br><br></div>+ : root : LOCAL<br><br></div>Second, you need to make sure you have a space both before and after each ":"<br><br>Third, at the end of the access.conf file, you add<br><br>- : ALL : ALL<br><br>and you prevent anyone not specifically allowed from logging in.<br><br><br><div><div><div><br><br><div><br><br><div><div><br><br><br><div><div><br></div></div></div></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 19, 2016 at 10:47 PM, Jim Wildman <span dir="ltr"><<a href="mailto:jim@rossberry.com" target="_blank">jim@rossberry.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Or do you mean the "create home directory" option?<br>
<br>
If a machine is joined to LDAP and pam is setup correctly, then all<br>
the users in the specified LDAP search domain will be available<br>
to the machine. If their home directories or automount is not<br>
configured, then they will get errors when they login.<span><br>
<br>
On Wed, 19 Oct 2016, Roberto C. Sánchez wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Wed, Oct 19, 2016 at 06:52:53PM -0400, Rick Troth wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
friends --<br>
<br>
I'm looking, and will continue, but if anyone happens to know:<br>
What's the incantation to coax LDAP/Kerberos to automatically add users?<br>
For example, in the YP/NIS days, it was that we add the "+" lines at the<br>
end of /etc/passwd (and perhaps /etc/group). With that, all users defined<br>
in the domain get sign-on rights. How do I do the same in LDAP space?<br>
<br>
</blockquote>
Rick,<br>
<br>
Can you please explain a bit further what you mean by "automatically add<br>
users"? Do you mean that local users on a system get automatically<br>
added to LDAP or that LDAP users get automatically added to the local<br>
system?<br>
<br>
Regards,<br>
<br>
-Roberto<br>
<br>
<br>
</blockquote>
<br></span>
------------------------------<wbr>------------------------------<wbr>----------<br>
Jim Wildman, CISSP, RHCE <a href="mailto:jim@rossberry.com" target="_blank">jim@rossberry.com</a> <a href="http://www.rossberry.net" rel="noreferrer" target="_blank">http://www.rossberry.net</a><br>
"Society in every state is a blessing, but Government, even in its best<br>
state, is a necessary evil; in its worst state, an intolerable one."<br>
Thomas Paine<br>______________________________<wbr>_________________<br>
colug-432 mailing list<br>
<a href="mailto:colug-432@colug.net" target="_blank">colug-432@colug.net</a><br>
<a href="http://lists.colug.net/mailman/listinfo/colug-432" rel="noreferrer" target="_blank">http://lists.colug.net/mailman<wbr>/listinfo/colug-432</a><br>
<br></blockquote></div><br></div></div>