Re: PAM & LDAP - Pointer anyone?

From: Bruce M Simpson (bms@spc.org)
Date: 03/05/02

Next message: Shoichi Sakane: "Re: Racoon/sainfo - 'no policy found'"
Previous message: Dennis Pedersen: "Re: Racoon/sainfo - 'no policy found'"
In reply to: Soeren Schroeder: "Re: PAM & LDAP - Pointer anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 5 Mar 2002 11:03:06 +0000
From: Bruce M Simpson <bms@spc.org>
To: Soeren Schroeder <sch@cybercity.dk>

On Tue, Mar 05, 2002 at 09:50:07AM +0100, Soeren Schroeder wrote:
>
> >Perhaps I am missing something obvious? If someone has done this and can
> >point me in the right direction, it would be much appreciated.
>
> A workaround is installing ypldapd:
> http://www.padl.com/ldap-nis_gateway.html
> A nis server on top of ldap. Works like a charm !
> Then all your deamons works out of the box. We tried PAM LDAP and ditched it.

If you are worried about security, I would not recommend running NIS. The
combination of the FreeBSD integrated NIS client, together with pam_ldap.so
running over LDAP/SSL, may be a more acceptable solution in terms of security.

This way, the function which would normally be served by nss_ldap is served
instead by the FreeBSD ypbind and ypldapd. pam.conf and the LDAP backend ACLs
can be tightened so as to ensure password authentication only ever happens
over an SSL session. Client side certificates can be used if one wishes to
verify the identity of machines binding to a DN with privileges to do password
authentication, or SASL can be used with users binding to their own DN in
order to authenticate to each system.

BMS

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Next message: Shoichi Sakane: "Re: Racoon/sainfo - 'no policy found'"
Previous message: Dennis Pedersen: "Re: Racoon/sainfo - 'no policy found'"
In reply to: Soeren Schroeder: "Re: PAM & LDAP - Pointer anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Centralized authentication
... >A few people suggested NIS+. ... Virtually all of our boxes are FreeBSD, ... >don't know very much about either server. ... >setup and get working than an LDAP server. ...
(FreeBSD-Security)
Summary: NIS+ and LDAP - Single sign on
... The overwhelming response was that NIS+ is proprietary and that Sun will not ... The majority of the responses indicate that LDAP is the way to go. ... I mainly need this for authentication (login ... Everybody is going LDAP these days: Sun, ...
(SunManagers)
Re: [HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch and more (SoC)
... thanks to all FreeBSD people and to Google for the great summer! ... small percentage of FreeBSD users, and the difficulties outweigh the ... Having authentication functions outside the base makes them ... That's it and that's where we need to be with regard to modern LDAP ...
(freebsd-current)
LDAP authentication failure
... I'm trying to migrate my user's authentication from NIS to LDAP. ... On my server, I think I have everything set up okay. ...
(RedHat)
Re: Idiots intro to LDAP - Where?
... But, for the life of me, I can't understand LDAP or why it's ... windows and they can be reasonably expected to be built into windows ... use the same authentication mechanisms. ... While you could do that with nis+, nobody really used nis+ as it was a ...
(comp.os.linux)