Re: best way to remotely manage user credentials
On Tue, May 13, 2008 at 02:51:54PM +0200, Wojciech Ziniewicz wrote:
> 2008/5/13 Thomas Goirand <thomas@goirand.fr>:
> > There's more easy way than writing it with a bash script. Use NSSMySQL
> > and write a small php/python/ruby/perl/whatever-you-like web application
> > for your users to change the password stored in MySQL. The other
> > advantage is that it's going to be damned easy to reuse this with
> > network, and to do backups. You can encrypt the MySQL connection if you
> > wish to prevent sniffing.
>
> I tried nss-mysql with no success.
>
> i have to store and use information that is exactly the same as normal
> ordinary pam . what did not work with nss-mysql was su and passwd
> (users HAVE to use passwd on those systems )
>
> probably i will write something like master server with mysql database
> that will be bash-style replicated on other servers.
Because NSS is only used for lookup (read-only) queries.
For things like password management you need to install pam-mysql in
addition to nss-mysql and point its configuration to the same database
as NSS. I did it some time ago and it worked fine.
I had some issues with nscd instability though -- it crashed quite often
in this setup and I had to put a monitoring for that. I installed nscd
to decrease the load on the database.
Marcin
--
+---------------------------------------+
| -o) http://wanted.eu.org/
| /\\ Message void if penguin violated
+ _\_V Don't mess with the penguin
Reply to: