[Date Prev][Date Next] [Chronological] [Thread] [Top]

Multiple passwords. Configurable bind attribute. Etc..

To: openldap-software@OpenLDAP.org
Subject: Multiple passwords. Configurable bind attribute. Etc..
From: Erik Forsberg <forsberg+openldap@lysator.liu.se>
Date: Mon, 30 Aug 2004 23:01:35 +0200
User-agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)

Hi!

Background
----------

At a site where I'm involved, several systems are or are not available
to a certain user. For example, a user can have:

* One account on the internal network, with Linux and Windows systems.
* One account on a web site.
* One account on a demo Linux system.

I'm now thinking about assembling all different accounts and their
authentication information into one single database, and an LDAP
database might fit my needs.

My Problem
----------

Now, if all accounts were to be accessible by using the same password,
this would be easy. I'd just use pam_ldap/nss_ldap on the Linux
systems, configure Samba to store passwords in LDAP and modify the web
sites to use the LDAP as a password backend.

However, things are not that simple. I'd like the passwords for the
internal network to be different from the ones for the demo Linux
system, since the expected security level (possibility of hostile
software) is much higher on the latter. I don't want an attacker that
gains root access on the demo system to be able to snoop passwords
that can be used to access the internal systems.

Still, I'd like all accounts to be assembled in one place for easy
maintainabillity. The demo Linux system should preferrably be a
replica of the master LDAP server, but not a complete replica, only
the most needed and least sensitive information should be replicated.

Is a solution that fulfills my needs possible with the help of
OpenLDAP?  If so, how? 

A possible solution
-------------------

One possible solution, as far as I can see, would be to make it
configurable which attribute is used as a password attribute when
doing a bind operation. If it was configurable, I could use one
attribute for binding from the internal systems, and one for binding
on the demo Linux system. The attribute I would use for bind
operations on the internal systems would of course not be replicated
to the demo system.

Comments? Suggestions? Would my idea be a good solution for my
problems? 

I've read a bit about the slapo-rwm overlay, perhaps that can be used
as part of the solution?

Regards,
\EF
-- 
Erik Forsberg                 http://www.lysator.liu.se/~forsberg/
GPG/PGP Key: 1024D/0BAC89D9

Follow-Ups:
- Re: Multiple passwords. Configurable bind attribute. Etc..
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: SyncRepl not syncing
Next by Date: Directory design question
Index(es):
- Chronological
- Thread