From owner-freebsd-current@FreeBSD.ORG Thu Feb 16 19:07:41 2006 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 725CF16A420 for ; Thu, 16 Feb 2006 19:07:41 +0000 (GMT) (envelope-from stb@lassitu.de) Received: from schlepper.zs64.net (schlepper.zs64.net [212.12.50.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id E030D43D4C for ; Thu, 16 Feb 2006 19:07:40 +0000 (GMT) (envelope-from stb@lassitu.de) Received: from [127.0.0.1] (schlepper [212.12.50.230]) by schlepper.zs64.net (8.13.3/8.12.9) with ESMTP id k1GJ7cB4093699; Thu, 16 Feb 2006 20:07:38 +0100 (CET) (envelope-from stb@lassitu.de) In-Reply-To: <20060214091150.A70808@xorpc.icir.org> References: <20060214091150.A70808@xorpc.icir.org> Mime-Version: 1.0 (Apple Message framework v746.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <98DCE0F6-7C7B-4901-B0FC-D6B2D718A8E6@lassitu.de> Content-Transfer-Encoding: 7bit From: Stefan Bethke Date: Thu, 16 Feb 2006 20:06:13 +0100 To: Luigi Rizzo X-Mailer: Apple Mail (2.746.2) Cc: current@freebsd.org Subject: Re: options for centralized 'passwd' database for a diskless lab ? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2006 19:07:41 -0000 Am 14.02.2006 um 18:11 schrieb Luigi Rizzo: > as per the subjects, what options do i have to set a centralized > 'passwd' database for a lab with FreeBSD diskless machines ? > > In the past (4.x times) i used YP/NIS which did the job but was > highly insecure (all traffic unencrypted) and also a bit of a pain > to configure. > It was convenient though because it let users change their > password and other info just using the passwd command. > > I have been browsing around a bit, and i see that pam_* (tried > pam_radius) > can do for the authentication part but not for the other info; > nss_* seems to be a better suit but the only thing i see is nss_ldap > and i am not familiar with the latter. > > So any suggestions or pointers to pages describing what to do ? We're running a LDAP-based setup at my employer, using pam_ldap and nss_ldap. Getting the clients configured is a piece of cake, getting your head wrapped around how to populate your LDAP repository isn't. The Samba integration was the most painful to get going, and creating machine accounts is still close to black magic for me. That said, once you have it going, it's really nice. We have our lab with diverse OSes hooked up to the LDAP server as well, and control access to the various machines through group membership. Also, quite a number of web-based stuff is tied in. For management, we're using phpldapadmin, which makes most day-to-day tasks quite simple. One drawback though: without a caching layer in the NSS, every ls(1) will hit the LDAP server, and if you've configured nss_ldap to use TLS, it's dead slow. We decided we can live with an unencrypted connection for NSS, but use TSL for PAM. Stefan -- Stefan Bethke Fon +49 170 346 0140