[nycbug-talk] External Authentication Implementation in FreeBSD
Matt Juszczak
matt at atopia.net
Thu May 14 17:38:00 EDT 2009
Hi all,
This question refers specifically to LDAP, but I assume that it would work
for other services too, such as NIS.
In my opinion, I see three possible ways these things can be implemented
into pam, nss, sudoers, etc:
1) every 5 minutes or so, generate /etc/passwd, /etc/master.passwd, and
/etc/group from the information in LDAP. Also, generate a
/usr/local/etc/sudoers file. benefits are that the boxes work 100%
standalone even if all ldap servers become unavailable.
2) half-half it. put system accounts in /etc/passwd, /etc/master.passwd,
etc., and only put USERS in ldap. That way, it will try ldap just for
users, but otherwise the boxes function normally even if LDAP is down
(perhaps a backdoor user account?). Sudoers would tie into LDAP with a
fail over somehow to the file system.
3) all ldap - put all accounts, including system accounts, root, etc.,
into LDAP. This is my least favorite option.
Just looking for what most of you use in your FreeBSD setups.
Thanks!
-M
More information about the talk
mailing list