此内容没有您所选择的语言版本。
Chapter 9. Identity: Managing Users and User Groups
Users in Identity Management are able to access services and servers within the domain through Kerberos authentication. This chapter covers general management tasks for users, groups, password policies, and other configuration for users.
9.1. Setting up User Home Directories
A home directory is required for any IdM user. Without a home directory in the expected location, a user may be unable to log into the domain. While systems administrators can manage home directories outside of IdM, it is also possible to use a PAM module to create home directories automatically on both IdM servers and clients.
9.1.1. About Home Directories
IdM, as part of managing users, can manage user home directories. However, IdM has certain defined parameters for any managed home directories:
- The default prefix for users' home directories is
/home
. - IdM does not automatically create home directories when users log in. Automatically creating home directories requires either the
pam_oddjob_mkhomedir
module or thepam_mkhomedir
module. This module can be configured as part of client installation or after installation, as described in Section 9.1.2, “Enabling the PAM Home Directory Module”.The home directory process for IdM first attempts to use thepam_oddjob_mkhomedir
module because this requires fewer user privileges and access to create the home directories, as well as integrating smoothly with SELinux. If this module is not available, then the process falls back to thepam_mkhomedir
module.Note
On Red Hat Enterprise Linux 5 clients, the client installation script uses thepam_mkhomedir
module even if thepam_oddjob_mkhomedir
module is available. To use thepam_oddjob_mkhomedir
module on Red Hat Enterprise Linux 5, edit the PAM configuration manually. - It is possible to use an NFS file server that provides
/home
that can be made available to all machines in the domain and then automounted on the IdM server.There are potential issues when using NFS, such as security issues related to granting root access to the NFS user, performance issues with loading the entire/home
tree, and network performance issues for using remote servers for home directories. There are some general guidelines for using NFS with Identity Management:- Use automount to mount only the user's home directory and only when the user logs in, rather than loading the entire
/home
tree. - Use a remote user who has limited permissions to create home directories and mount the share on the IdM server as that user. Since the IdM server runs as an
httpd
process, it is possible to usesudo
or a similar program to grant limited access to the IdM server to create home directories on the NFS server. - Use a mechanism, such as the
pam_oddjob_mkhomedir
module, to create the home directory as that user.
Using automounts for home directories is described in Section 9.1.3, “Manually Mounting Home Directories”. - If a suitable directory and mechanism are not available to create home directories, users may not be able to log in.
9.1.2. Enabling the PAM Home Directory Module
For a home directory to be created automatically when a user logs in, IdM can use either the
pam_oddjob_mkhomedir
module or the pam_mkhomedir
module. Because it requires fewer permissions and works well with SELinux, IdM preferentially uses the pam_oddjob_mkhomedir
module. If that module is not installed, then it falls back to the pam_mkhomedir
module.
Note
IdM does not require the
pam_oddjob_mkhomedir
module or pam_mkhomedir
module. This is because the *_mkhomedir
module may try to create home directories even when the shared storage is not available. If the module is unable to create the home directory, then users can be blocked from logging into the IdM domain.
The system administrator must activate this module on each client or server as needed.
There are two ways to enable the
pam_oddjob_mkhomedir
(or pam_mkhomedir
) module:
- The
--mkhomedir
option can be used with theipa-client-install
command. While this is possible for clients, this option is not available to servers when they are set up. - The
pam_oddjob_mkhomedir
module can be enabled using the system'sauthconfig
command. For example:authconfig --enablemkhomedir --update
This option can be used for both server and client machines post-installation.
Note
On Red Hat Enterprise Linux 5 clients, the client installation script uses the
pam_mkhomedir
module even if the pam_oddjob_mkhomedir
module is available. To use the pam_oddjob_mkhomedir
module on Red Hat Enterprise Linux 5, edit the PAM configuration manually.
9.1.3. Manually Mounting Home Directories
While PAM modules can be used to create home directories for users automatically, this may not be desirable behavior in every environment. In that case, home directories can be manually added to the IdM server from separate locations using NFS shares and
automount
.
- Create a new location for the user directory maps:
[bjensen@server ~]$ ipa automountlocation-add userdirs Location: userdirs
- Add a direct map to the new location's
auto.direct
file. In this example, the mount point is/share
:[bjensen@server ~]$ ipa automountkey-add userdirs auto.direct --key=/share --info="-ro,soft, ipaserver.example.com:/home/share" Key: /share Mount information: -ro,soft, ipaserver.example.com:/home/share
Using automounts with IdM is described in detail in Chapter 18, Policy: Using Automount.