Re: openldap, pam_ldap, accounts

[Ben Collins <bcollins@debian.org>]

On Sun, Dec 05, 1999 at 09:12:13AM +1100, David J N Begley wrote:
> On Sat, 4 Dec 1999, Ben Collins wrote:
> 
> > On Sat, Dec 04, 1999 at 12:31:05PM +1100, David J N Begley wrote:
> 
> > > If you are trying to move certain users entirely out of /etc/* files to
> > > an LDAP directory (but still have them act/react like normal UNIX
> > > users), then at the very least you will need both nss_ldap and pam_ldap.
> > 
> > Actually it depends on which PAM module you are using.
> [...]
> > For password changing you will need pam_ldap, so it can talk directly with
> > the ldap server.
> 
> As I said, "but still have them act/react like normal UNIX users".
> 
> > The nss_ldap module will keep a "shadow-like" system by using a seperate
> > file for binddn and bind password with correct perms (root.shadow 640).
> 
> Is this the suggested patch submitted recently for PADL's nss_ldap/pam_ldap,
> or some Linux-specific hack?

Well since file perms aren't Linux specific, this is just general usage in
nss_ldap (from looking over the latest version). Basically, nss_ldap wont
be able to get the password field unless it has enough perms to read the
"secret" file that contains the bind dn and bind password. So a sgid
shadow (or suid root) application will give it this ability.

-- 
 -----------=======-=-======-=========-----------=====------------=-=------
/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`     bcollins@debian.org  -  collinbm@djj.state.va.us  -  bmc@visi.net    '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'