From owner-freebsd-security  Tue Apr  9  8:40:10 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mail.spc.org (insomnia.spc.org [195.224.94.183])
	by hub.freebsd.org (Postfix) with SMTP id CE34E37B417
	for <freebsd-security@freebsd.org>; Tue,  9 Apr 2002 08:40:04 -0700 (PDT)
Received: (qmail 23328 invoked by uid 1031); 9 Apr 2002 15:30:29 -0000
Date: Tue, 9 Apr 2002 15:30:29 +0000
From: Bruce M Simpson <bms@spc.org>
To: "Douglas K. Rand" <rand@meridian-enviro.com>
Cc: freebsd-security@freebsd.org
Subject: Re: Centralized authentication
Message-ID: <20020409153029.B10593@spc.org>
Mail-Followup-To: Bruce M Simpson <bms@spc.org>,
	"Douglas K. Rand" <rand@meridian-enviro.com>,
	freebsd-security@freebsd.org
References: <874riov1et.wl@delta.meridian-enviro.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <874riov1et.wl@delta.meridian-enviro.com>; from rand@meridian-enviro.com on Sat, Apr 06, 2002 at 05:43:22PM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Douglas,

On Sat, Apr 06, 2002 at 05:43:22PM -0600, Douglas K. Rand wrote:
> We have a few dozen FreeBSD workstaions and servers and as their
> numbers increase managing users and groups via indvidual /etc/passwd
> and /etc/group files is getting more and more tiresome. We also have
> just a few Linux boxes.
> 
> We aren't a huge site, everybody is in one building on the same
> network. 

Look into using an LDAP server with pam_ldap. At the moment, nss_ldap is
not supported on FreeBSD. What pam_ldap will give you is a means of securely
verifying a user's password, but unfortunately, nss_ldap is needed in
order to replace the /etc/group and /etc/passwd files via the
/etc/nsswitch.conf mechanism.

There is a workaround, which is to use NIS in a read-only, non-authenticating
mode purely to deliver the passwd and group maps with ypldapd, which is
a NIS-to-LDAP gateway. This is one alternative, if you're willing to live 
with the exposure of passwd/group file information being freely available
as NIS maps; far more acceptable than relying entirely on NIS/NIS+.

There is an architectural problem in that updating FreeBSD to use nss_ldap
requires that certain parts of the base system be rewritten to use dynamic
linking, much like Solaris. There are no firm plans to do this at this time,
to the best of my knowledge.


BMS

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message