[nycbug-talk] External Authentication Implementation in FreeBSD

Matt Juszczak matt at atopia.net
Thu May 14 17:38:00 EDT 2009


Hi all,

This question refers specifically to LDAP, but I assume that it would work 
for other services too, such as NIS.

In my opinion, I see three possible ways these things can be implemented 
into pam, nss, sudoers, etc:

1) every 5 minutes or so, generate /etc/passwd, /etc/master.passwd, and 
/etc/group from the information in LDAP.  Also, generate a 
/usr/local/etc/sudoers file.  benefits are that the boxes work 100% 
standalone even if all ldap servers become unavailable.

2) half-half it.  put system accounts in /etc/passwd, /etc/master.passwd, 
etc., and only put USERS in ldap.  That way, it will try ldap just for 
users, but otherwise the boxes function normally even if LDAP is down 
(perhaps a backdoor user account?).  Sudoers would tie into LDAP with a 
fail over somehow to the file system.

3) all ldap - put all accounts, including system accounts, root, etc., 
into LDAP.  This is my least favorite option.

Just looking for what most of you use in your FreeBSD setups.

Thanks!

-M



More information about the talk mailing list