Date: Mon, 8 Sep 2003 22:25:00 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: freebsd-questions@freebsd.org Subject: Re: nis security Message-ID: <20030908222500.T11841@seekingfire.com> In-Reply-To: <20030909032816.GN48339@dan.emsphone.com>; from dnelson@allantgroup.com on Mon, Sep 08, 2003 at 10:28:17PM -0500 References: <200309082359.07548.ajacoutot@lphp.org> <20030908161045.C11841@seekingfire.com> <42065386.1063047726@[192.168.10.11]> <20030908181529.P11841@seekingfire.com> <20030909032816.GN48339@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 08, 2003 at 10:28:17PM -0500, Dan Nelson wrote: > In the last episode (Sep 08), Tillman Hodgson said: > > > > I'm a bit biased, however: I use NIS with Kerberos and think it's the > > > > cats pajamas :-) > > > > > > This sounds exactly like what we are looking for. Can you point us > > > to any docs explaining how you do this?? > > > > The rough instructions are fairly simple: > > > > * Set up Kerberos and ensure you have a working realm > > * Set up NIS, but set all the passwd fields to something that doesn't > > map to a real password (I like 'krb5', others like '*') > > You can do something similar with LDAP, by using pam_ldap for > authentication and NIS for the rest of the user info lookup. That seems like a backwards use of LDAP to me - If I was going to use LDAP, I'd rather use Kerberos for authentication and LDAP to provide the user info lookup :-) (This is essentially what active directory is, and combined with Kerberos cross-realm authentication can make for some pretty neat single sign on solutions) -T -- Love is the highest achievement to which any human may aspire. It is an emotion that encompasses the full depth of heart, mind, and soul. - Zensunni Wisdom from the Wandering
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030908222500.T11841>