[nycbug-talk] External Authentication Implementation in FreeBSD

Matt Juszczak matt at atopia.net
Thu May 14 17:38:00 EDT 2009

Hi all,

This question refers specifically to LDAP, but I assume that it would work 
for other services too, such as NIS.

In my opinion, I see three possible ways these things can be implemented 
into pam, nss, sudoers, etc:

1) every 5 minutes or so, generate /etc/passwd, /etc/master.passwd, and 
/etc/group from the information in LDAP.  Also, generate a 
/usr/local/etc/sudoers file.  benefits are that the boxes work 100% 
standalone even if all ldap servers become unavailable.

2) half-half it.  put system accounts in /etc/passwd, /etc/master.passwd, 
etc., and only put USERS in ldap.  That way, it will try ldap just for 
users, but otherwise the boxes function normally even if LDAP is down 
(perhaps a backdoor user account?).  Sudoers would tie into LDAP with a 
fail over somehow to the file system.

3) all ldap - put all accounts, including system accounts, root, etc., 
into LDAP.  This is my least favorite option.

Just looking for what most of you use in your FreeBSD setups.



More information about the talk mailing list