Date: Tue, 9 Apr 2002 11:00:24 -0500 From: Will Andrews <will@csociety.org> To: Bruce M Simpson <bms@spc.org> Cc: "Douglas K. Rand" <rand@meridian-enviro.com>, freebsd-security@freebsd.org Subject: Re: Centralized authentication Message-ID: <20020409160024.GU75343@squall.waterspout.com> In-Reply-To: <20020409153029.B10593@spc.org> References: <874riov1et.wl@delta.meridian-enviro.com> <20020409153029.B10593@spc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 09, 2002 at 03:30:29PM +0000, Bruce M Simpson wrote: > Look into using an LDAP server with pam_ldap. At the moment, nss_ldap is > not supported on FreeBSD. What pam_ldap will give you is a means of securely > verifying a user's password, but unfortunately, nss_ldap is needed in > order to replace the /etc/group and /etc/passwd files via the > /etc/nsswitch.conf mechanism. > > There is a workaround, which is to use NIS in a read-only, non-authenticating > mode purely to deliver the passwd and group maps with ypldapd, which is > a NIS-to-LDAP gateway. This is one alternative, if you're willing to live > with the exposure of passwd/group file information being freely available > as NIS maps; far more acceptable than relying entirely on NIS/NIS+. > > There is an architectural problem in that updating FreeBSD to use nss_ldap > requires that certain parts of the base system be rewritten to use dynamic > linking, much like Solaris. There are no firm plans to do this at this time, > to the best of my knowledge. You can also use my Perl script to regenerate the group and master.passwd files at will. See here: http://csociety.org/projects/ldap/ http://cvsweb.csociety.org/ldap/ This script has been tested on FreeBSD, NetBSD, and OpenBSD. Documentation is the script itself at the moment, due to lack of time. Perhaps some volunteer would be willing to write a manpage or something. Regards, -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020409160024.GU75343>