LDAP integration and sshd

Corinna Vinschen corinna-cygwin@cygwin.com
Thu Jun 26 08:32:00 GMT 2014


On Jun 26 07:35, Achim Gratz wrote:
> Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > - Build your own OpenSSH package with the following patch applied:
> > 
> >   http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-May/032591.html
> > 
> >   It converts the static request for an account called "sshd" into
> >   a function call which checks for the "sshd" account by calling
> >   a Cygwin DLL function checking for the account by prepending the
> >   potential prefixes.  This patch has been applied upstream, and
> >   a new version of OpenSSH will be available as soon as we go life
> >   with the AD integration stuff.
> 
> Is there a corresponding change needed to take care of LDAP groups so these

"LDAP groups" is rather misleading.  The naming convention has nothing
to do with LDAP, rather it's a Interix invention.  The names are
generated inside the Cygwin DLL in dependent of using LDAP or not.

> can be used in AllowGroups?

In theory, no.  AllowGroups is admin-settable in the config file while
the "sshd" user request is built into the code.  Just use the names as
you get them:

  AllowGroups bla MACHINE+blub DOMAIN+blubber ...


Corinna

(*) per MSFT this is supposed to be faster than NetUserEnum and uses less
    resources.  In my limited environment, `getent group' is in fact five
    times faster than the former `mkgroup -l -d'.

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20140626/b71ad76d/attachment.sig>


More information about the Cygwin mailing list