Date: Tue, 9 Apr 2002 15:30:29 +0000 From: Bruce M Simpson <bms@spc.org> To: "Douglas K. Rand" <rand@meridian-enviro.com> Cc: freebsd-security@freebsd.org Subject: Re: Centralized authentication Message-ID: <20020409153029.B10593@spc.org> In-Reply-To: <874riov1et.wl@delta.meridian-enviro.com>; from rand@meridian-enviro.com on Sat, Apr 06, 2002 at 05:43:22PM -0600 References: <874riov1et.wl@delta.meridian-enviro.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Douglas, On Sat, Apr 06, 2002 at 05:43:22PM -0600, Douglas K. Rand wrote: > We have a few dozen FreeBSD workstaions and servers and as their > numbers increase managing users and groups via indvidual /etc/passwd > and /etc/group files is getting more and more tiresome. We also have > just a few Linux boxes. > > We aren't a huge site, everybody is in one building on the same > network. Look into using an LDAP server with pam_ldap. At the moment, nss_ldap is not supported on FreeBSD. What pam_ldap will give you is a means of securely verifying a user's password, but unfortunately, nss_ldap is needed in order to replace the /etc/group and /etc/passwd files via the /etc/nsswitch.conf mechanism. There is a workaround, which is to use NIS in a read-only, non-authenticating mode purely to deliver the passwd and group maps with ypldapd, which is a NIS-to-LDAP gateway. This is one alternative, if you're willing to live with the exposure of passwd/group file information being freely available as NIS maps; far more acceptable than relying entirely on NIS/NIS+. There is an architectural problem in that updating FreeBSD to use nss_ldap requires that certain parts of the base system be rewritten to use dynamic linking, much like Solaris. There are no firm plans to do this at this time, to the best of my knowledge. BMS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020409153029.B10593>