Date: Thu, 16 Feb 2006 20:06:13 +0100 From: Stefan Bethke <stb@lassitu.de> To: Luigi Rizzo <rizzo@icir.org> Cc: current@freebsd.org Subject: Re: options for centralized 'passwd' database for a diskless lab ? Message-ID: <98DCE0F6-7C7B-4901-B0FC-D6B2D718A8E6@lassitu.de> In-Reply-To: <20060214091150.A70808@xorpc.icir.org> References: <20060214091150.A70808@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 14.02.2006 um 18:11 schrieb Luigi Rizzo: > as per the subjects, what options do i have to set a centralized > 'passwd' database for a lab with FreeBSD diskless machines ? > > In the past (4.x times) i used YP/NIS which did the job but was > highly insecure (all traffic unencrypted) and also a bit of a pain > to configure. > It was convenient though because it let users change their > password and other info just using the passwd command. > > I have been browsing around a bit, and i see that pam_* (tried > pam_radius) > can do for the authentication part but not for the other info; > nss_* seems to be a better suit but the only thing i see is nss_ldap > and i am not familiar with the latter. > > So any suggestions or pointers to pages describing what to do ? We're running a LDAP-based setup at my employer, using pam_ldap and nss_ldap. Getting the clients configured is a piece of cake, getting your head wrapped around how to populate your LDAP repository isn't. The Samba integration was the most painful to get going, and creating machine accounts is still close to black magic for me. That said, once you have it going, it's really nice. We have our lab with diverse OSes hooked up to the LDAP server as well, and control access to the various machines through group membership. Also, quite a number of web-based stuff is tied in. For management, we're using phpldapadmin, which makes most day-to-day tasks quite simple. One drawback though: without a caching layer in the NSS, every ls(1) will hit the LDAP server, and if you've configured nss_ldap to use TLS, it's dead slow. We decided we can live with an unencrypted connection for NSS, but use TSL for PAM. Stefan -- Stefan Bethke <stb@lassitu.de> Fon +49 170 346 0140
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?98DCE0F6-7C7B-4901-B0FC-D6B2D718A8E6>