LDAP integration and sshd
Corinna Vinschen
corinna-cygwin@cygwin.com
Thu Jun 26 08:32:00 GMT 2014
On Jun 26 07:35, Achim Gratz wrote:
> Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > - Build your own OpenSSH package with the following patch applied:
> >
> > http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-May/032591.html
> >
> > It converts the static request for an account called "sshd" into
> > a function call which checks for the "sshd" account by calling
> > a Cygwin DLL function checking for the account by prepending the
> > potential prefixes. This patch has been applied upstream, and
> > a new version of OpenSSH will be available as soon as we go life
> > with the AD integration stuff.
>
> Is there a corresponding change needed to take care of LDAP groups so these
"LDAP groups" is rather misleading. The naming convention has nothing
to do with LDAP, rather it's a Interix invention. The names are
generated inside the Cygwin DLL in dependent of using LDAP or not.
> can be used in AllowGroups?
In theory, no. AllowGroups is admin-settable in the config file while
the "sshd" user request is built into the code. Just use the names as
you get them:
AllowGroups bla MACHINE+blub DOMAIN+blubber ...
Corinna
(*) per MSFT this is supposed to be faster than NetUserEnum and uses less
resources. In my limited environment, `getent group' is in fact five
times faster than the former `mkgroup -l -d'.
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20140626/b71ad76d/attachment.sig>
More information about the Cygwin
mailing list