Chris wrote:
I've toyed with LDAP accounts before to get them to work. But now I'm going to put it into production.


I'm wondering though about user and group management. When ports are installed on individual servers, users and groups are sometimes added for daemons. It would be nice to receive notification and possibly block and or redirect actions to appropriate scripts and the LDAP server.

Are there any ports or mechanisms for hooking into the scripts and programs that handle account modification (chpass, adduser and pw) or does everyone typically do this sort of thing by hand?

For the user and groups set up when installing from the ports --
unfortunately no.  Each port that needs to set up a UID/GID will
have its own pkg-install script to do the work.  These are all written
separately for each port that needs one -- no common code libraries etc.
other than cut'n'paste from some other port.  These are generally
wrappers around pw(8) and have no facility for switching to some other
program to generate accounts.

I believe though that while pw(8) can only update text format files
such as /etc/master.passwd or /etc/group it will report all of the
UIDs or GIDs known to the system from whatever authentication databases
you are hooked up to.  So if you create appropriate UIDs and GIDs in LDAP
before trying to install the port, you shouldn't end up with a second
local account withthe same credentials.

Also note that you will likely have boot-order problems: you'll need
to ensure that your system is up and on the network and resolving the
user information with whatever network based service you're using before
any of the daemons that run as those UIDs are started.

        Cheers,

        Matthew

--
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                 Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to