Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 Apr 2002 15:30:29 +0000
From:      Bruce M Simpson <bms@spc.org>
To:        "Douglas K. Rand" <rand@meridian-enviro.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Centralized authentication
Message-ID:  <20020409153029.B10593@spc.org>
In-Reply-To: <874riov1et.wl@delta.meridian-enviro.com>; from rand@meridian-enviro.com on Sat, Apr 06, 2002 at 05:43:22PM -0600
References:  <874riov1et.wl@delta.meridian-enviro.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Douglas,

On Sat, Apr 06, 2002 at 05:43:22PM -0600, Douglas K. Rand wrote:
> We have a few dozen FreeBSD workstaions and servers and as their
> numbers increase managing users and groups via indvidual /etc/passwd
> and /etc/group files is getting more and more tiresome. We also have
> just a few Linux boxes.
> 
> We aren't a huge site, everybody is in one building on the same
> network. 

Look into using an LDAP server with pam_ldap. At the moment, nss_ldap is
not supported on FreeBSD. What pam_ldap will give you is a means of securely
verifying a user's password, but unfortunately, nss_ldap is needed in
order to replace the /etc/group and /etc/passwd files via the
/etc/nsswitch.conf mechanism.

There is a workaround, which is to use NIS in a read-only, non-authenticating
mode purely to deliver the passwd and group maps with ypldapd, which is
a NIS-to-LDAP gateway. This is one alternative, if you're willing to live 
with the exposure of passwd/group file information being freely available
as NIS maps; far more acceptable than relying entirely on NIS/NIS+.

There is an architectural problem in that updating FreeBSD to use nss_ldap
requires that certain parts of the base system be rewritten to use dynamic
linking, much like Solaris. There are no firm plans to do this at this time,
to the best of my knowledge.


BMS

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020409153029.B10593>