[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Using LDAP to share users among Linuxes

To: <openldap-general@OpenLDAP.org>
Subject: RE: Using LDAP to share users among Linuxes
From: <lukeh@xedoc.com.au>
Date: Tue, 18 May 1999 10:52:08 +1000
Importance: Normal
In-reply-to: <Pine.LNX.3.96.990512155414.8097C-100000@jymy.kase.fi>

Hi Tuomo,

> It seems like there would be open source components for all 
> tasks, i need
> to download 
> 
> 1) OpenLDAP
> 2) nss-ldap module
> 3) pam-ldap module
> 4) Migration scripts

Sounds good. You don't actually need pam_ldap if (a) you are using
crypted passwords and (b) you don't want to use PAM to change users'
passwords. And (c) you don't mind exposing hashed passwords in the
directory (see below).

> It seems that there are modules+migration scripts available at
> www.padl.com as well as at www.rage.net. Which one i should use? Does

The PADL software is more current, and being actively maintained. If
you can deal with compiling it yourself, then you should definitely
use this one. I'd love to recommend the rage.net packages, but they
don't appear to have been updated in some time. There are actually
Debian packages for all these things in Potato, if you're using dpkg.

> anyone know if i can implement anything like nis netgroups (mainly for
> grouping users reflecting organizational structure somewhat) 
> when using
> these modules?

The RFC 2307 schema does show how to represent NIS netgroups.
Unfortunately, no one has ever got around to implementing NIS netgroup
support in nss_ldap. It's a little hairy as the interfaces for the
Solaris and GNU nameservice switches are quite different for netgroups.
Still, it shouldn't be that hard, because you can still retain the
netgroup triple parsers used for NIS. Send patches to dev@padl.com!
 
> How about security, as far as i understand the ldap-solution doesn't
> hide hashed password from users? How could i implement hiding? 

You can use ACLs to hide the userPassword attribute from users. The
flip-side is that nss_ldap won't be able to return the password in
the pw_passwd field, so you'll need to use pam_ldap as well. If you
don't use pam_ldap with SSL, then the password is transmitted over
the network in the clear. There is code in pam_ldap to support SSL
with Netscape's C LDAP SDK, but no one has confirmed that it works
yet. (PADL use Kerberos, not SSL, internally.)
 

-- Luke

References:
- Using LDAP to share users among Linuxes
  - From: Tuomo Pyhala <tuomo@kase.fi>

Prev by Date: config with netscape help needed
Next by Date: Re: Using LDAP to share users among Linuxes
Index(es):
- Chronological
- Thread