From owner-freebsd-security@FreeBSD.ORG Sun Mar 20 21:37:44 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA7C516A4CE for ; Sun, 20 Mar 2005 21:37:44 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 445B343D2D for ; Sun, 20 Mar 2005 21:37:44 +0000 (GMT) (envelope-from metrol.net@gmail.com) Received: by wproxy.gmail.com with SMTP id 68so829137wri for ; Sun, 20 Mar 2005 13:37:43 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=EhmWGxWkojGLS7/ZQsqbEDboBTo3TAgbtCmNGDOJSA8ZuSvPOoV1lpVPxEfHYCxs8j8UZ9OFwsqONuRub4BIyKUKXZJFnWBDk/m7NTdLk0J69wCSyGk4yzy84lz17hlguP5YqNn94/AB0H1vxTM0wb4cd4Ee8SoZR3uHoauhCR4= Received: by 10.54.78.16 with SMTP id a16mr2584142wrb; Sun, 20 Mar 2005 13:37:43 -0800 (PST) Received: by 10.54.51.37 with HTTP; Sun, 20 Mar 2005 13:37:43 -0800 (PST) Message-ID: Date: Sun, 20 Mar 2005 13:37:43 -0800 From: Michael Collette To: Lowell Gilbert In-Reply-To: <44hdj6fjuo.fsf@be-well.ilk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: <44hdj6fjuo.fsf@be-well.ilk.org> cc: FreeBSD Security Subject: Re: LDAP and Linux compatibility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Michael Collette List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Mar 2005 21:37:44 -0000 On 20 Mar 2005 09:54:55 -0500, Lowell Gilbert wrote: > Michael Collette writes: > > > Please excuse a wee bit of cross posting here. It seems that the > > questions list may not be the appropriate place for this as I've found > > a number of unanswered posts involving this topic. > > On the -ports list, somebody pointed out that the linux-base ports > include advice to to edit /compat/linux/etc/yp.conf (I'm using NIS). > I haven't tried this yet, but it makes sense that it would be > necessary. For your case with LDAP, I suspect you would need to > configure nsswitch.conf, probably the same way as the FreeBSD version > in your real /etc directory. The problem is, NIS is a built in feature of both FreeBSD and Linux. Configuring FreeBSD to utilize LDAP involves at least 4 additional ports. You need pam_ldap, nss_ldap, openldap-client, and openssl. The 4th of course being optional but highly desirable for security reasons. Without this additional software neither FreeBSD nor the compat/Linux install will do a lookup to an LDAP directory. It wouldn't know how, as you have to properly configure both pam_ldap and nss_ldap so they know how to query the directory. I would think that the most desirable behavior would be to have any Linux calls to getpwuid_r() answered by the FreeBSD libraries rather than a direct attempt to look at the passwd database. Well, assuming that's what is happening. It just seems redundant to have to configure authentication for the base system, then do it again for the Linux compatiblity. Later on, -- "When you come to a fork in the road....Take it" - Yogi Berra