From owner-freebsd-questions@FreeBSD.ORG Mon Sep 8 21:25:03 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF28316A4BF for ; Mon, 8 Sep 2003 21:25:03 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3F0243FEA for ; Mon, 8 Sep 2003 21:25:02 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 6FB21258 for ; Mon, 8 Sep 2003 22:25:01 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h894P1o32127 for freebsd-questions@freebsd.org; Mon, 8 Sep 2003 22:25:01 -0600 Date: Mon, 8 Sep 2003 22:25:00 -0600 From: Tillman Hodgson To: freebsd-questions@freebsd.org Message-ID: <20030908222500.T11841@seekingfire.com> References: <200309082359.07548.ajacoutot@lphp.org> <20030908161045.C11841@seekingfire.com> <42065386.1063047726@[192.168.10.11]> <20030908181529.P11841@seekingfire.com> <20030909032816.GN48339@dan.emsphone.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030909032816.GN48339@dan.emsphone.com>; from dnelson@allantgroup.com on Mon, Sep 08, 2003 at 10:28:17PM -0500 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: nis security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 04:25:04 -0000 On Mon, Sep 08, 2003 at 10:28:17PM -0500, Dan Nelson wrote: > In the last episode (Sep 08), Tillman Hodgson said: > > > > I'm a bit biased, however: I use NIS with Kerberos and think it's the > > > > cats pajamas :-) > > > > > > This sounds exactly like what we are looking for. Can you point us > > > to any docs explaining how you do this?? > > > > The rough instructions are fairly simple: > > > > * Set up Kerberos and ensure you have a working realm > > * Set up NIS, but set all the passwd fields to something that doesn't > > map to a real password (I like 'krb5', others like '*') > > You can do something similar with LDAP, by using pam_ldap for > authentication and NIS for the rest of the user info lookup. That seems like a backwards use of LDAP to me - If I was going to use LDAP, I'd rather use Kerberos for authentication and LDAP to provide the user info lookup :-) (This is essentially what active directory is, and combined with Kerberos cross-realm authentication can make for some pretty neat single sign on solutions) -T -- Love is the highest achievement to which any human may aspire. It is an emotion that encompasses the full depth of heart, mind, and soul. - Zensunni Wisdom from the Wandering