From owner-freebsd-security  Tue Apr  9  9: 0:35 2002
Delivered-To: freebsd-security@freebsd.org
Received: from squall.waterspout.com (squall.waterspout.com [208.13.56.12])
	by hub.freebsd.org (Postfix) with ESMTP id 89F3637B417
	for <freebsd-security@freebsd.org>; Tue,  9 Apr 2002 09:00:25 -0700 (PDT)
Received: by squall.waterspout.com (Postfix, from userid 1050)
	id DE1DB9B76; Tue,  9 Apr 2002 11:00:24 -0500 (EST)
Date: Tue, 9 Apr 2002 11:00:24 -0500
From: Will Andrews <will@csociety.org>
To: Bruce M Simpson <bms@spc.org>
Cc: "Douglas K. Rand" <rand@meridian-enviro.com>,
	freebsd-security@freebsd.org
Subject: Re: Centralized authentication
Message-ID: <20020409160024.GU75343@squall.waterspout.com>
Mail-Followup-To: Bruce M Simpson <bms@spc.org>,
	"Douglas K. Rand" <rand@meridian-enviro.com>,
	freebsd-security@freebsd.org
References: <874riov1et.wl@delta.meridian-enviro.com> <20020409153029.B10593@spc.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020409153029.B10593@spc.org>
User-Agent: Mutt/1.3.26i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, Apr 09, 2002 at 03:30:29PM +0000, Bruce M Simpson wrote:
> Look into using an LDAP server with pam_ldap. At the moment, nss_ldap is
> not supported on FreeBSD. What pam_ldap will give you is a means of securely
> verifying a user's password, but unfortunately, nss_ldap is needed in
> order to replace the /etc/group and /etc/passwd files via the
> /etc/nsswitch.conf mechanism.
> 
> There is a workaround, which is to use NIS in a read-only, non-authenticating
> mode purely to deliver the passwd and group maps with ypldapd, which is
> a NIS-to-LDAP gateway. This is one alternative, if you're willing to live 
> with the exposure of passwd/group file information being freely available
> as NIS maps; far more acceptable than relying entirely on NIS/NIS+.
> 
> There is an architectural problem in that updating FreeBSD to use nss_ldap
> requires that certain parts of the base system be rewritten to use dynamic
> linking, much like Solaris. There are no firm plans to do this at this time,
> to the best of my knowledge.

You can also use my Perl script to regenerate the group and
master.passwd files at will.  See here:

	http://csociety.org/projects/ldap/
	http://cvsweb.csociety.org/ldap/

This script has been tested on FreeBSD, NetBSD, and OpenBSD.
Documentation is the script itself at the moment, due to lack of
time.  Perhaps some volunteer would be willing to write a manpage
or something.

Regards,
-- 
wca

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message