LDAP binding, and login class for ldap users

[patpro]

Hi all,

I've setup a FreeBSD server to bind to a remote LDAP server. LDAP users that belong to a particular local group can log in on the FreeBSD server using SSH/SFTP.
I know that I can't set a dedicated login class for my LDAP users, because login(1) is supposed to find the login class in the system password file (where my LDAP users don't exist, obviously).
I wonder if it's possible to set the config file nss_ldap.conf so that it will enforce a login class for LDAP users. I could use the configuration directive nss_default_attribute_value attribute value, but I've no idea what to use as an attribute name.

Any idea about that?

 

[mamalos]

Very good question!

I am afraid, though, that the answer may be nagative. If you look at this old email: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg32383.html that was sent on freebsd-questions list, it states that at that time, an ldap schema containing getcap(3) information didn't exist, nor was the nsdispatch/nsswitch capable of understanding such semantics.

Of course this is a very old email, and things might have changed since then...though I highly doubt it, since ldap is not part of FreeBSD base, whereas all other mechanisms are.

 

[patpro]

Thank you for your interest in my question
In fact, I lack a good comprehensive knowledge of the login process. I can only speculate here, I'm afraid.
If the pam_ldap plugin used for ssh authentication could just call login(1) after retrieving user informations from the LDAP, transmitting a login class name could be enough for the login process to enforce a login class on ldap accounts.

 

[mamalos]

I don't know much about the login process either, so I can't help much.

If you think that some pam.d module could be used in /etc/pam.d/ldap and do what you wish, you may as well try it and see if it works.