Re: central authentication with LDAP

To: f.bantner@axon-e.de, debian-isp@lists.debian.org
Subject: Re: central authentication with LDAP
From: Russell Coker <russell@coker.com.au>
Date: Mon, 28 Jan 2002 23:10:09 +1100
Message-id: <[🔎] 20020128121009.B055E3A219B@lyta.coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 20020128113100.A10169@axon-e.de>
References: <[🔎] 20020128155132.094D.PAHUD@pahud.net> <[🔎] 20020128113100.A10169@axon-e.de>

On Mon, 28 Jan 2002 21:31, Florian Bantner wrote:
> On Mon, 28 Jan 2002, Patrick Hsieh wrote:
> 2b. Create group-entries according to posixGroup
>
> Perhaps it is possible to combine them in one entry since debian
> uses the same number for uid, gid of one person. I'm currently
> trying this and it seems to work.

NB, it is not required to store any group data in LDAP.  For most 
installations the group data does not change often at all, and it can be more 
easily stored in /etc/group.  Using /etc/group for the data instead of LDAP 
reduces the number of queries (keep in mind that queries have to be done for 
supplemental groups too).

> 3. Install libpamldap & libnssldap
>
> nss is a complete replacement for all programs' access to the
> user-database. It should be possible to run a system with users in
> ldap without the pam_ldap module. when nsswitch is configured all
> requests to pam_unix go to ldap anyway.
>
> QUESTION: For what exactly do I need the pam_ldap module?

nss allows you to replace /etc/passwd and /etc/shadow with LDAP.

The PAM LDAP allows you to use non-SUID programs to change user-modifyable 
data (password, finger name, and shell) based on password authentication.  It 
allows you to use different crypt methods, different LDAP settings for 
different services (only in woody), and UID/GID limits to what the LDAP can 
specify, such as UID > 100 (not sure if potato has it).

> auth       sufficient pam_rootok.so
> auth       sufficient   pam_ldap.so
> auth       required   pam_unix.so use_first_pass
> account    sufficient   pam_ldap.so
> account    required   pam_unix.so
> session    required   pam_unix.so

I suggest putting pam_unix first and pam_ldap later in the list.  If you do 
otherwise then an LDAP problem can make it impossible to login which is a 
real bitch.  I once had that happen to servers at a secure hosting facility, 
that was a real PITA.

> 6. setup libnss-ldap.conf to access your ldap-server

You could probably run without it, but "ls -l" won't show the user-names, and 
many programs won't like it.  libnss-ldap is only used after you've logged in.

-- 
http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

Reply to:

Follow-Ups:
- Re: central authentication with LDAP
  - From: Michael Wood <mwood@its.uct.ac.za>

References:
- central authentication with LDAP
  - From: Patrick Hsieh <pahud@pahud.net>
- Re: central authentication with LDAP
  - From: Florian Bantner <f.bantner@axon-e.de>

Prev by Date: Re: central authentication with LDAP
Next by Date: Re: Closest to Debian
Previous by thread: Re: central authentication with LDAP
Next by thread: Re: central authentication with LDAP
Index(es):
- Date
- Thread