From owner-freebsd-security  Tue Mar  5  3:16: 5 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mail.spc.org (insomnia.spc.org [195.224.94.183])
	by hub.freebsd.org (Postfix) with SMTP id 5B2B537B402
	for <freebsd-security@freebsd.org>; Tue,  5 Mar 2002 03:15:59 -0800 (PST)
Received: (qmail 25609 invoked by uid 1031); 5 Mar 2002 11:04:53 -0000
Date: Tue, 5 Mar 2002 11:03:06 +0000
From: Bruce M Simpson <bms@spc.org>
To: Soeren Schroeder <sch@cybercity.dk>
Subject: Re: PAM & LDAP - Pointer anyone?
Message-ID: <20020305110306.A494@spc.org>
References: <200202270356.g1R3u5u25254@ness.plymouth.edu> <5.1.0.14.2.20020305094742.058185d8@mx00.cybercity.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <5.1.0.14.2.20020305094742.058185d8@mx00.cybercity.dk>; from sch@cybercity.dk on Tue, Mar 05, 2002 at 09:50:07AM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, Mar 05, 2002 at 09:50:07AM +0100, Soeren Schroeder wrote:
>
> >Perhaps I am missing something obvious?  If someone has done this and can
> >point me in the right direction, it would be much appreciated.
>
> A workaround is installing ypldapd:
> http://www.padl.com/ldap-nis_gateway.html
> A nis server on top of ldap. Works like a charm !
> Then all your deamons works out of the box. We tried PAM LDAP and ditched it.

If you are worried about security, I would not recommend running NIS. The
combination of the FreeBSD integrated NIS client, together with pam_ldap.so
running over LDAP/SSL, may be a more acceptable solution in terms of security.

This way, the function which would normally be served by nss_ldap is served
instead by the FreeBSD ypbind and ypldapd. pam.conf and the LDAP backend ACLs
can be tightened so as to ensure password authentication only ever happens
over an SSL session. Client side certificates can be used if one wishes to
verify the identity of machines binding to a DN with privileges to do password
authentication, or SASL can be used with users binding to their own DN in
order to authenticate to each system.

BMS

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message