[Discuss] Using sftp without a shell account

[bill at horne.net (Bill Horne)]

On 12/29/2014 3:16 PM, Derek Martin wrote:
> On Sun, Dec 28, 2014 at 08:58:13PM -0500, Bill Horne wrote:
>> I'm setting up an LDAP-based server, which will be used for file
>> transfers among other things. I'd like to allow LDAP users to access
>> the machine via sftp, but I can't figure out how to do that without
>> giving each user a local shell account, and I'm looking for advice.
> The long and short of it is you need to make sure that OpenSSH is
> using PAM, and that your PAM configuration is correct for doing LDAP
> lookups for account info and such.  You also need to modify
> /etc/nsswitch.conf.

I don't see an nsswitch.conf file on the machine.

>
> This page may or may not be useful:
>
>    https://wiki.debian.org/LDAP/NSS

I'll check it out, thanks.

>
>> The LDAP users can access ftp without trouble, but not sftp.
> That is potentially interesting, but there are a wide variety of ftp
> servers, and configuring authentication for them varies as well.
> Without more details about how your system is configured, I expect it
> will be difficult to provide additional useful advice.

It's a Mac Mini, with a generic OS X Yosemite installation, and OS X 
Server 4.1 installed.

There are a couple of "local" users, which are just administrative 
accounts. Everyone else is a "network" user, entered in Open DIrectory 
but not in the local machine. I'm hoping that Open Directory is "close 
enough" to OpenLDAP that I can transfer knowledge.

Thanks for your help!

Bill