Re: NIS substitute

To: debian-user@lists.debian.org
Subject: Re: NIS substitute
From: David Z Maze <dmaze@debian.org>
Date: Mon, 11 Aug 2003 14:34:12 -0400
Message-id: <[🔎] 87d6fcgi1n.fsf@everett.mit.edu>
In-reply-to: <[🔎] 20030811173607.102cbe62.paladin@netcabo.pt> (paladin@netcabo.pt's message of "Mon, 11 Aug 2003 17:36:07 +0100")
References: <[🔎] 20030811173607.102cbe62.paladin@netcabo.pt>

Paladin <paladin@netcabo.pt> writes:

> I've been trying for some time to change from NIS to LDAP.  ... I
> needed to install and configure SASL so that I had encryption for
> the all process. At that time I had to choose some libsasl modules,
> so I installed gssapi-mit and digestmd5-des.

Do you, in fact, want to migrate your network to using Kerberos?  It's
a moderate amount of infrastructure, and in fact would completely
replace having shadow files anywhere.

> Trying out the krb5 module (since the simpler digestmd5-des can be
> used) and after configuring kerberos I realized that I had to login
> THROUGH Kerberos (or doing kinit) before I could use ldapsearch with
> sasl. But my objective with LDAP is to replace NIS at login time so
> logging in with Kerberos ruins all my plans!

I know ~nothing about LDAP.  But, there are two somewhat obvious
possibilities if you need an LDAP/Kerberos world:

(1) Figure out a way to use LDAP unencrypted for only the information
    that would normally be in /etc/passwd.  (Which is close to what
    MIT does, but using Hesiod, which is a thin layer on top of DNS.)

(2) Generate a Kerberos keytab for each machine (you might want this
    anyways to allow things like inbound Kerberos-authenticated ssh).
    Get tickets using the keytab (kinit -k).  Using this, get
    Kerberos-authenticated LDAP entries.  Then lose the host tickets,
    verify the username, get a password, and using this, get user
    Kerberos tickets.

There might even be a good prepackaged way to do (2), but I really
don't know.

> To login with Kerberos I have to add all users as principals.

Yes.  <nods>  If you're using other infrastructure that supports it
(IMAP and AFS are obvious things that come to mind) then this still
might be a good way to go; it does save a fair bit of typing passwords
to get at things.  Otherwise, you probably want to ignore anything
that says "Kerberos" or "GSSAPI" in the package description.

-- 
David Maze         dmaze@debian.org      http://people.debian.org/~dmaze/
"Theoretical politics is interesting.  Politicking should be illegal."
	-- Abra Mitchell

Reply to:

Follow-Ups:
- Re: NIS substitute
  - From: Paladin <paladin@utopia.ddts.net>

References:
- NIS substitute
  - From: Paladin <paladin@netcabo.pt>

Prev by Date: apt through proxy
Next by Date: Re: I want separate MUA/MTA/MDA
Previous by thread: NIS substitute
Next by thread: Re: NIS substitute
Index(es):
- Date
- Thread