[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSL packages (LDAP PAM NSS) +

What I am wondering about is:
a) Does anyone maintain ssl versions of nss-, pam- ldap and openldap 2.0.1x?


Over the last two days I just completed converting my development environment to a fully LDAP NSS/PAM environment in preparation of converting the entire data center.

I used the slapd, libpam-ldap, and libnss-ldap (plus dependencies) packages from Woody to do so. I also used the PADL migration tools (maybe someone should package these and put them as recommended for the two libXXX-ldap packages).

None of this supports SSL. However, you can get around this two ways, neither of which I have yet done:

1) Get the source packages and recompile all of them with SSL support enabled
2) Use stunnel (or SSH or whatever) to set up SSL tunneling

I don't intend to do either for now. If you find an easier way (a prepackaged .deb way, preferably) please let me know. I did investigate doing #1, but the sheer number of options to openldap combined with my minimal knowledge of changing Debian package configuration prior to the simple build, stopped me until I had more time on my hands.

On the other hand, I would be very interested to know if you or anyone has a PAM/NSS/LDAP installation on Debian using slave LDAP servers as hot backups. I haven't seen any documented way of doing this anywhere, such as providing a list of servers which can be attempted.

For PAM, however, I suppose it's relatively simple to do something like:

auth    sufficient      pam_ldap.so
auth sufficient pam_ldap.so config=/etc/pam_ldap-slave.conf try_first_pass
auth    required                pam_unix.so nullok try_first_pass

(Although I haven't tried it yet)

On the other hand, I do not yet see a way to do this with NSS. I would welcome pointers.

I would like to advise you to ensure at least a+r permissions on /etc/nsswitch.conf. If you do not, then simple things like getent networks will not work for non-root users. The installation recommends mode 0600 which I found does NOT work because non-root users running programs using the glibc nss will not be able to get the answers from the now-depopulated /etc files.



Reply to: