Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Feb 2006 20:06:13 +0100
From:      Stefan Bethke <stb@lassitu.de>
To:        Luigi Rizzo <rizzo@icir.org>
Cc:        current@freebsd.org
Subject:   Re: options for centralized 'passwd' database for a diskless lab ?
Message-ID:  <98DCE0F6-7C7B-4901-B0FC-D6B2D718A8E6@lassitu.de>
In-Reply-To: <20060214091150.A70808@xorpc.icir.org>
References:  <20060214091150.A70808@xorpc.icir.org>

next in thread | previous in thread | raw e-mail | index | archive | help

Am 14.02.2006 um 18:11 schrieb Luigi Rizzo:

> as per the subjects, what options do i have to set a centralized
> 'passwd' database for a lab with FreeBSD diskless machines ?
>
> In the past (4.x times) i used YP/NIS which did the job but was
> highly insecure (all traffic unencrypted) and also a bit of a pain  
> to configure.
> It was convenient though because it let users change their
> password and other info just using the passwd command.
>
> I have been browsing around a bit, and i see that pam_* (tried  
> pam_radius)
> can do for the authentication part but not for the other info;
> nss_* seems to be a better suit but the only thing i see is nss_ldap
> and i am not familiar with the latter.
>
> So any suggestions or pointers to pages describing what to do ?

We're running a LDAP-based setup at my employer, using pam_ldap and  
nss_ldap.  Getting the clients configured is a piece of cake, getting  
your head wrapped around how to populate your LDAP repository isn't.   
The Samba integration was the most painful to get going, and creating  
machine accounts is still close to black magic for me.

That said, once you have it going, it's really nice.  We have our lab  
with diverse OSes hooked up to the LDAP server as well, and control  
access to the various machines through group membership.  Also, quite  
a number of web-based stuff is tied in.

For management, we're using phpldapadmin, which makes most day-to-day  
tasks quite simple.

One drawback though: without a caching layer in the NSS, every ls(1)  
will hit the LDAP server, and if you've configured nss_ldap to use  
TLS, it's dead slow.  We decided we can live with an unencrypted  
connection for NSS, but use TSL for PAM.


Stefan

-- 
Stefan Bethke <stb@lassitu.de>   Fon +49 170 346 0140





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?98DCE0F6-7C7B-4901-B0FC-D6B2D718A8E6>