Date: Tue, 5 Mar 2002 11:03:06 +0000 From: Bruce M Simpson <bms@spc.org> To: Soeren Schroeder <sch@cybercity.dk> Subject: Re: PAM & LDAP - Pointer anyone? Message-ID: <20020305110306.A494@spc.org> In-Reply-To: <5.1.0.14.2.20020305094742.058185d8@mx00.cybercity.dk>; from sch@cybercity.dk on Tue, Mar 05, 2002 at 09:50:07AM %2B0100 References: <200202270356.g1R3u5u25254@ness.plymouth.edu> <5.1.0.14.2.20020305094742.058185d8@mx00.cybercity.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 05, 2002 at 09:50:07AM +0100, Soeren Schroeder wrote: > > >Perhaps I am missing something obvious? If someone has done this and can > >point me in the right direction, it would be much appreciated. > > A workaround is installing ypldapd: > http://www.padl.com/ldap-nis_gateway.html > A nis server on top of ldap. Works like a charm ! > Then all your deamons works out of the box. We tried PAM LDAP and ditched it. If you are worried about security, I would not recommend running NIS. The combination of the FreeBSD integrated NIS client, together with pam_ldap.so running over LDAP/SSL, may be a more acceptable solution in terms of security. This way, the function which would normally be served by nss_ldap is served instead by the FreeBSD ypbind and ypldapd. pam.conf and the LDAP backend ACLs can be tightened so as to ensure password authentication only ever happens over an SSL session. Client side certificates can be used if one wishes to verify the identity of machines binding to a DN with privileges to do password authentication, or SASL can be used with users binding to their own DN in order to authenticate to each system. BMS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020305110306.A494>