# LDAP binding, and login class for ldap users



## patpro (Apr 1, 2011)

Hi all,

I've setup a FreeBSD server to bind to a remote LDAP server. LDAP users that belong to a particular local group can log in on the FreeBSD server using SSH/SFTP.
I know that I can't set a dedicated login class for my LDAP users, because login(1) is supposed to find the login class in the system password file (where my LDAP users don't exist, obviously).
I wonder if it's possible to set the config file nss_ldap.conf so that it will enforce a login class for LDAP users. I could use the configuration directive *nss_default_attribute_value attribute value*, but I've no idea what to use as an attribute name.

Any idea about that?


----------



## mamalos (Apr 1, 2011)

Very good question!

I am afraid, though, that the answer may be nagative. If you look at this old email: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg32383.html that was sent on freebsd-questions list, it states that at that time, an ldap schema containing *getcap(3)* information didn't exist, nor was the* nsdispatch/nsswitch* capable of understanding such semantics.

Of course this is a very old email, and things might have changed since then...though I highly doubt it, since *ldap* is not part of FreeBSD base, whereas all other mechanisms are.


----------



## patpro (Apr 3, 2011)

Thank you for your interest in my question 
In fact, I lack a good comprehensive knowledge of the login process. I can only speculate here, I'm afraid.
If the pam_ldap plugin used for ssh authentication could just call login(1) after retrieving user informations from the LDAP, transmitting a login class name could be enough for the login process to enforce a login class on ldap accounts.


----------



## mamalos (Apr 4, 2011)

I don't know much about the login process either, so I can't help much. 

If you think that some pam.d module could be used in /etc/pam.d/ldap and do what you wish, you may as well try it and see if it works.


----------

