# Use LDAP to manage system users on Linux

This configuration uses _nsswitch_ and _compat_ mode, which is supposedly obsolete, but much more convenient than alternatives.

## Install packages

    emerge -va sys-auth/nss_ldap sys-auth/pam_ldap sys-apps/unscd

Note: unscd (Micro Name Service Caching Daemon) is not necessary, but it’s recommended.


## Configure

1. Copy and edit `ldap.conf` to /etc/.
2. Copy `nsswitch.conf` to /etc/.
3. Copy `system-auth` and `system-login` to /etc/pam.d/.
4. Copy `useradd-nis` and `userdel-nis` scripts to /usr/local/bin/.
5. If you want to allow access for explicitly named users only, add this line to the end of /etc/passwd:

        +::::::/sbin/nologin

6. (Optional) Enable and start unscd daemon:

        rc-update add unscd default


## Allow specific user

Add entry to /etc/passwd as usual, but prefix it with `+` and omit fields which should be provided by LDAP. For example:

    +flynn:::::/home/flynn:/bin/zsh

Note: In this configuration we’re not using LDAP groups, each LDAP user is assigned to gid 100. However, it can be simply modified to use LDAP groups, if you want to.