Re: We need centralized accounts -- Any docs for ldap passwords?

To: Rob Browning <rlb@cs.utexas.edu>
Cc: Sergey V Kovalyov <sqk0316@SCIRES.ACF.NYU.EDU>, debian-user@lists.debian.org
Subject: Re: We need centralized accounts -- Any docs for ldap passwords?
From: Ben Collins <bcollins@debian.org>
Date: Tue, 25 May 1999 08:08:08 -0400
Message-id: <[🔎] 19990525080808.A11353@virtue.djj.state.va.us>
In-reply-to: <[🔎] 877lpyff7m.fsf@raven.localnet>; from Rob Browning on Mon, May 24, 1999 at 02:19:25PM -0500
References: <[🔎] Pine.SGI.4.10.9905131521090.237440-100000@neumann.acf.nyu.edu> <[🔎] 877lpyff7m.fsf@raven.localnet>

On Mon, May 24, 1999 at 02:19:25PM -0500, Rob Browning wrote:
> Sergey V Kovalyov <sqk0316@SCIRES.ACF.NYU.EDU> writes:
> 
> > When you install libnss-ldap, there is a short howto in
> > /usr/doc/libnss-ldap
> > I also suggest downloading conversion tools from www.padl.com, which will
> > help populate the LDAP database
> 
> OK.  I'm back working on this, and I've gotten openldap
> etc. installed, and I've gotten the migration tools, read the HOWTO,
> and played with gq to see that I can actually see my database, and I'm
> about ready to try and cram my passwd/group stuff in there.  However,
> from looking at the migration tools, it seems that they can translate
> a lot more than just passwd/group stuff like services, protocols,
> aliases, fstab, etc.
> 
> So I'm a little curious now.  I'd like to get a brief overview of the
> overall picture.  Are people using ldap much for things like fstab?
> If so, how would that actually work, and how would it interact with
> other package upgrades?  (I can see how accounts work via glibc2 and
> libpam-ldap/libnss-ldap.)  Also, I'm wondering what, if any, the
> security concerns are relating to ldap access to passwd etc.
> 
> Can someone give me a brief overview or point me at an appropriate
> doc?  I haven't found one yet.

Documentation is a little lacking in this area. The main reason for putting
things like fstab, etc, into ldap is for diskless clients and large network
configurations (think centralizing). If you don't see an immediate need for
it, chances are you wont benefit from it. Currently the most common use of
ldap for name services are shadow/passwd/group, mail aliases (exim can
compile with ldap support, as well as sendmail), and hosts information.

As far as security is concerned, right now OpenLDAP does not support SSL (work
is being done on that, so RSN), so your transactions over a network are in the
clear. Access by default to password information is limited to the owner of the
entry (ie, I can see my encrypted password, but not yours or anyone elses) and
the admin (setup on install of openldap). This is better than NIS in that you
actually have to authenticate in order to gain access to the data (access is
not based on priviledged ports, which is a downfall of NIS). Access to normal
account info (name, uid, home directory) is available anonymously by default,
but with proper access rules in slapd.conf you can force authentication in
order to obtain access (so that I can authenticate and be able to see your
info, but outside access wont be able to).

Hope this clears some things up.

Reply to:

Follow-Ups:
- Re: We need centralized accounts -- Any docs for ldap passwords?
  - From: Rob Browning <rlb@cs.utexas.edu>

References:
- Re: We need centralized accounts -- Any docs for ldap passwords?
  - From: Sergey V Kovalyov <sqk0316@SCIRES.ACF.NYU.EDU>
- Re: We need centralized accounts -- Any docs for ldap passwords?
  - From: Rob Browning <rlb@cs.utexas.edu>

Prev by Date: Re: cp: /MS/test.txt: Operation not permitted when copying to a vfat partition ?
Next by Date: lost IP aliasing
Previous by thread: Re: We need centralized accounts -- Any docs for ldap passwords?
Next by thread: Re: We need centralized accounts -- Any docs for ldap passwords?
Index(es):
- Date
- Thread