Why we didn't migrate to Mercurial (long)
David Champion
dgc at uchicago.edu
Fri Oct 5 18:55:45 UTC 2012
* On 05 Oct 2012, Stephen Morton wrote:
> > with it, I know that PAM supports LDAP and SSH supports PAM. So you
> > probably could configure PAM to use LDAP for SSH authentication.
> >
> Yes and no. To log in you need not only LDAP password authentication
> through PAM, but you additionally need LDAP NSS information to determine a
> user's home directory and login shell. This *can* be provided by LDAP, but
> it is often not provided by (Windows-centric) corporate IT.
>
> You can get around this by creating local accounts for everybody who wants
> to log in, yet still using LDAP for password authentication. But at that
> point, even with a small 20-person office (we have ~200 devs) you're having
> to populate and continuously update as people get hired and fired entries
> for 200 people on 200 computers.
You can get around that somewhat with nss_compat. This NSS module
allows you to override passwd fields with static values in a + line in
/etc/passwd. It's inspired by old SunOS 4 NIS mechanisms.
/etc/nsswitch.conf:
passwd: compat
passwd_compat: ldap
/etc/passwd:
+::::::/bin/bash
If it's OK for all to use the same uid and home directory, you're done:
+::2000:2000:HG user &:/home/hguser:/bin/bash
Unfortunately you cannot replace pw_dir with, say, /home/& -- it doesn't
support the & token the way that some GECOS handlers do. A minor patch
to nss_compat would enable it though.
--
David Champion • dgc at uchicago.edu • IT Services • University of Chicago
More information about the Mercurial
mailing list