From owner-freebsd-questions Sun Sep 30 12:33: 7 2001 Delivered-To: freebsd-questions@freebsd.org Received: from creme-brulee.marcuscom.com (rdu57-28-046.nc.rr.com [66.57.28.46]) by hub.freebsd.org (Postfix) with ESMTP id 6EE4F37B403 for ; Sun, 30 Sep 2001 12:32:59 -0700 (PDT) Received: from shumai.marcuscom.com (shumai.marcuscom.com [192.168.1.4]) by creme-brulee.marcuscom.com (8.11.6/8.11.6) with ESMTP id f8UJWBP91497; Sun, 30 Sep 2001 15:32:11 -0400 (EDT) (envelope-from marcus@marcuscom.com) Received: from localhost (marcus@localhost) by shumai.marcuscom.com (8.11.3/8.11.3) with ESMTP id f8UJXwr33829; Sun, 30 Sep 2001 15:33:58 -0400 (EDT) (envelope-from marcus@marcuscom.com) X-Authentication-Warning: shumai.marcuscom.com: marcus owned process doing -bs Date: Sun, 30 Sep 2001 15:33:58 -0400 (EDT) From: Joe Clarke To: Gabriel Ambuehl Cc: Subject: Re: pam_ldap and features requiring regular UNIX users... In-Reply-To: <183493754271.20010930131207@buz.ch> Message-ID: <20010930152814.F33801-100000@shumai.marcuscom.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 30 Sep 2001, Gabriel Ambuehl wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Hello, > I wonder whether there's any solution to use either pam_ldap or > pam_mysql for user management (in a virtualhosting enviroment, so > mostly for (S)FTP authentication) and still be able to use the > benefits that come with the use of traditional /etc/master.passwd > based users like FS quotas or suexec execution of CGI scripts. > I for myself don't think there's any way to use those features > without > having the respective users in /etc/master.passwd and thus think it > ain't any good for us, but before I definitely vote against > the pam against database stuff, I'd like to check whether I'm > right... PAM in general is authentication only. PAM allows you to keep passwords in a central location. However, for authorization and accouting, you still need either a local password file or NIS/YP. Therefore, all your users can have a '*' for their password in master.passwd, but they need to be there. All your quota, home directories, groups, etc. will be handled locally. the only thing PAM will do for you is allow those users to be authenticated remotely (via LDAP or MySQL). I ported the pam_ldap module, and use it at home for my network. It works well. The same company that writes pam_ldap, PADL, also has a YP to LDAP gateway, and a nsswitch library for LDAP (requires -current). Bill Moran on this and other FreeBSD lists was wanting to get YP/LDAP working so he could do authorization as well as authentication with LDAP. You may want to search the archives to see if he's posted his progress. Joe > > Any comments would be greatly appreciated. > > > > > Best regards, > Gabriel >  > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5i > > iQEVAwUBO7bv+sZa2WpymlDxAQGevwf9Hqf2TFBzgRb/8GcGDnUFzEYRXCaGEb6Q > s4CopPtu/Bv/LIabIVoPiwXJ9j2thy8Wdp0Iw9ViQ5Z+yV776s0O9ECd+XdVB9J5 > elD8mv5vamFiY0sMHXvE/NioMsgsjpfeGUxxluA/PBvTQp5kuXgs9XK1g7Jp6Osw > 2idLlOokk4dHMUH19ymqH48bZuHfG/X2Pzk8fnM2NCGCXd0YbBPOtls28ersAdJn > Ev7gq6346zTk8OSf0ejkrQMXqgDOnAs0/rgMok01iTnNB4X29ReCI+mujcl7OZAl > 7K1fb6wWdqkK6CltIkijwcABUeXvUBJn71D4HWSVlbZXW00NyhHcWg== > =WPx7 > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message