[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: passwd database

To: Justin Georgeson <jgeorgeson@unboundtech.com>
Subject: Re: passwd database
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Thu, 3 Oct 2002 10:17:45 +0100
Cc: openLDAP-software <openLDAP-software@OpenLDAP.org>
Content-disposition: inline
In-reply-to: <3D9BC983.2050005@unboundtech.com>
References: <3D9B55E9.1090206@unboundtech.com> <20021002224436.A3584@itea.ntnu.no> <3D9BC983.2050005@unboundtech.com>
User-agent: Mutt/1.3.27i

On Wed, Oct 02, 2002 at 11:37:23PM -0500, Justin Georgeson wrote:

> to configure a machine to use this ldap server for authentication. I get 
> the impression that the migration perl scripts from PADL are to take the 
> passwd file and create an LDAP database (type ldbm?) to authenticate 
> against. It didn't work. The migrate_all_scripts both complained (online 
> said it couldn't connect, offline sad ldapadd didn't support the 
> necessary options). I know they are not from the OpenSSL group, I just 
> didn't think I would need to use them at all. I thought I could just use 
> the passwd database type and authenticate against that with the nss_ldap 

The passwd backend is extremely inefficient and I would not advise
using it in production. It is included in the code mainly as a demo of
how backends work.

> stuff, which I have installed and configured per the RH page linked 
> above. Is there anyone on the list who has got this working that can 
> give me couple pointers? Thanks.

The migration scripts come from PADL, so you would probably find more
information in the nss_ldap list archives than here.

A few pointers:

(1)	Make sure you have up-to-date copies of the migration scripts.
	The version in the RedHat distro is probably quite old. I
	found that the version shipped with RH 7.1 gave problems.

(2)	I would advise using the 'online' version of the script, as
	slapd does more checking than slapadd and you will pick up on
	errors sooner.

(3)	Make sure you have an up-to-date OpenLDAP install. Again, the
	basic RedHat distro is probably a few versions behind. Check
	www.openldap.org to find the current version.

(4)	Similarly, make sure pam_ldap and nss_ldap are recent (at
	least check for updated RPMs from RedHat).

You may find more useful info in my paper on 'Security with LDAP':
http://www.skills-1st.co.uk/papers/security-with-ldap-jan-2002/security-with-ldap.html

You should also read Adam Williams' LDAP presentation:
ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf
Beware though - it is now well over 300 slides!

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

References:
- passwd database
  - From: Justin Georgeson <jgeorgeson@unboundtech.com>
- Re: passwd database
  - From: Bjørn Ove Grøtan <bjorn.grotan@itea.ntnu.no>
- Re: passwd database
  - From: Justin Georgeson <jgeorgeson@unboundtech.com>

Prev by Date: compatible versions
Next by Date: Re: compatible versions
Index(es):
- Chronological
- Thread