From owner-freebsd-security  Wed Nov  7 21:19:31 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.hq.newdream.net (mail.hq.newdream.net [216.246.35.10])
	by hub.freebsd.org (Postfix) with ESMTP id 2019737B416
	for <security@FreeBSD.ORG>; Wed,  7 Nov 2001 21:19:27 -0800 (PST)
Received: from zugzug.hq.newdream.net (zugzug.hq.newdream.net [127.0.0.1])
	by ravscan.zugzug.hq.newdream.net (Postfix) with SMTP id 21A993B394
	for <security@FreeBSD.ORG>; Wed,  7 Nov 2001 21:19:27 -0800 (PST)
Received: by mail.hq.newdream.net (Postfix, from userid 1012)
	id F04A33B37D; Wed,  7 Nov 2001 21:19:26 -0800 (PST)
Date: Wed, 7 Nov 2001 21:19:26 -0800
From: Will Yardley <william@hq.newdream.net>
To: security@FreeBSD.ORG
Subject: Re: NIS, rsync, and LDAP Re: sharing /etc/passwd
Message-ID: <20011107211926.A28670@hq.newdream.net>
Mail-Followup-To: security@FreeBSD.ORG
References: <Pine.LNX.4.33.0111072043550.24824-100000@moroni.pp.asu.edu> <001b01c16814$48a1ea50$22b197ce@ezo.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <001b01c16814$48a1ea50$22b197ce@ezo.net>
User-Agent: Mutt/1.3.23i
Organization: New Dream Network
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Jim Flowers wrote:

> > It would be nice to be able to share /etc/passwd between Linux and
> > Freebsd -- so some layer of abstraction like an ldap_pam would be
> > great.  I didn't know ldap pam existed.  I'll look into it.

> An advantage of Kerberos, perhaps?

we use the same database for multiple platforms by storing everything in
a mysql database and then using a perl script to create the password
files and push them onto the machines (and create the passwd db files
for freebsd of course).

perhaps not as elegant or complicated as ldap or kerberos, but it is
pretty effective, and pretty secure since scp is used to copy the files
from the controller machines.

most of our machines are linux, but i've been working on getting
everything working with freebsd, and that part seems to work ok so far
(just a few changes in the passwd file format).

the system will also update passwords in the db if a user has changed
it.  it doesn't currently add users that are added manually, although
such a change would probably be trivial.

the 'standard' users are stored as parameters and are appended to the
top of every password / shadow / master.passwd file

w

-- 
GPG Public Key:
http://infinitejazz.net/will/pgp/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message