I’m currently fine-tuning a central authentication scenario using 389 Directory Server and NFS. It’s supposed to replace the current configuration using NIS and NFS, which works fine, except there are some security issues with NIS. Anyway.
The server is running CentOS, and all desktop clients are running OpenSUSE Leap 15.1.
The whole thing works rather nicely at the moment. Clients can authenticate via LDAPS, and the user’s home directories even get created on the first connection. In YaST’s LDAP client configuration, there’s a corresponding checkbox to create home directories automatically.
Now the home directory does get created indeed, but its permissions are 755 (drwxr-xr-x), which is definitely not sane. So here’s my first question (one dragon at a time):
Can I define sane default permissions like 700 (drwx------) for home directories in a central authentication scenario against 389 directory server?
UMASK is set in /etc/login.defs, but it has side effect of setting umask in each user session, not just home directory permissions. For this reasons upstream added HOME_MODE variable to explicitly control new home directory permissions, although I understand it probably not much help in case of Leap 15.1.