Creating a User Home directory when you use LDAP Authentication

Abstract

Lightweight Directory Access Protocol (LDAP) allows a system administrator to centrally define and manage Linux users. Using LDAP, an administrator can define a user to many Linux systems. User information,such as the user password and location of the user's home directory, is stored in the LDAP directory rather than on the local Linux system. This technote describes how to configure the Pluggable Authentication Module (PAM) to automatically create a user home directory the first time a user logs on.

Contents


Linux users usually have their home directory (typically the /home/userid directory) created when the user ID is defined. When using LDAP authentication, users are remotely defined (and have no home directory created on the local host). Two possibilities exist to avoid manual creation of a home directory for each LDAP defined user:
  • The user home directory can be located on a network file server (for example, an NFS-mounted file system).
  • The home directory can be automatically created when a user first logs in.
    For login services except SSH, add the pam_mkhomedir.so module to the PAM configuration file for the service, /etc/pam.d/login,
    for example:
      session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
    If a user authenticates and no home directory exists, the home directory is created in /home. The umask=0077 parameter causes the directory permission to be set to 700. The home directory is constructed from the skeletal files found in the /etc/skel directory.

    Beginning with OpenSSH Version 3.3, automatic creation of a user home directory using pam_mkhomedir.so is no longer supported due to a security modification in SSH. You can use the make_home_dir replacement for pam_mkhomedir.so. The make_home_dir package is available at:

Special Notices

This material has not been submitted to any formal IBM test and is published AS IS. It has not been the subject of rigorous review. IBM assumes no responsibility for its accuracy or completeness. The use of this information or the implementation of any of these techniques is a client responsibility and depends upon the client's ability to evaluate and integrate them into the client's operational environment.

Profile

Publish Date
25 May 2004


Rating:
(based on 1 review)


Author(s)

IBM Form Number
TIPS0410