Re: NIS substitute
Paladin <paladin@netcabo.pt> writes:
> I've been trying for some time to change from NIS to LDAP. ... I
> needed to install and configure SASL so that I had encryption for
> the all process. At that time I had to choose some libsasl modules,
> so I installed gssapi-mit and digestmd5-des.
Do you, in fact, want to migrate your network to using Kerberos? It's
a moderate amount of infrastructure, and in fact would completely
replace having shadow files anywhere.
> Trying out the krb5 module (since the simpler digestmd5-des can be
> used) and after configuring kerberos I realized that I had to login
> THROUGH Kerberos (or doing kinit) before I could use ldapsearch with
> sasl. But my objective with LDAP is to replace NIS at login time so
> logging in with Kerberos ruins all my plans!
I know ~nothing about LDAP. But, there are two somewhat obvious
possibilities if you need an LDAP/Kerberos world:
(1) Figure out a way to use LDAP unencrypted for only the information
that would normally be in /etc/passwd. (Which is close to what
MIT does, but using Hesiod, which is a thin layer on top of DNS.)
(2) Generate a Kerberos keytab for each machine (you might want this
anyways to allow things like inbound Kerberos-authenticated ssh).
Get tickets using the keytab (kinit -k). Using this, get
Kerberos-authenticated LDAP entries. Then lose the host tickets,
verify the username, get a password, and using this, get user
Kerberos tickets.
There might even be a good prepackaged way to do (2), but I really
don't know.
> To login with Kerberos I have to add all users as principals.
Yes. <nods> If you're using other infrastructure that supports it
(IMAP and AFS are obvious things that come to mind) then this still
might be a good way to go; it does save a fair bit of typing passwords
to get at things. Otherwise, you probably want to ignore anything
that says "Kerberos" or "GSSAPI" in the package description.
--
David Maze dmaze@debian.org http://people.debian.org/~dmaze/
"Theoretical politics is interesting. Politicking should be illegal."
-- Abra Mitchell
Reply to: