Re: LDAP and Linux compatibility

From: Michael Collette (metrol.net_at_gmail.com)
Date: 03/23/05

  • Next message: Oleg Tarasov: "Re: PAM fails to change user password"
    Date: Wed, 23 Mar 2005 11:25:19 -0800
    To: Lowell Gilbert <freebsd-security-local@be-well.ilk.org>
    
    

    Well, came up with a solution as well as a new problem. Thought I'd
    at least share the solution here.

    In /etc/profile I'm calling a shell script called inituser.sh. Got
    this running to insure the user's basic environment is all setup. In
    this script I now have it write to a file in /tmp with a line that
    looks like...

    bob:*:1000:1000:Bob Smith:/home/bob

    I then have a symbolic link from this file to
    /compat/linux/etc/passwd. With this in play, FreeBSD is properly
    performing an LDAP lookup, and Linux apps have somewhere to look for a
    proper user id. There are some security concerns I have with this,
    and it sure feels like a nasty little hack, but it seems to work for
    the moment.

    Now my problem has to do with linux-fontconfig. Neither acroread7 nor
    reaplay will run due to complaining about fontconfig not being setup
    properly. Still futzing with this one. Thankfully though, neither
    app is still complaining about not being able to lookup a user id.

    Later on,

    On Sun, 20 Mar 2005 13:37:43 -0800, Michael Collette
    <metrol.net@gmail.com> wrote:
    > On 20 Mar 2005 09:54:55 -0500, Lowell Gilbert
    > <freebsd-security-local@be-well.ilk.org> wrote:
    > > Michael Collette <metrol.net@gmail.com> writes:
    > >
    > > > Please excuse a wee bit of cross posting here. It seems that the
    > > > questions list may not be the appropriate place for this as I've found
    > > > a number of unanswered posts involving this topic.
    > >
    > > On the -ports list, somebody pointed out that the linux-base ports
    > > include advice to to edit /compat/linux/etc/yp.conf (I'm using NIS).
    > > I haven't tried this yet, but it makes sense that it would be
    > > necessary. For your case with LDAP, I suspect you would need to
    > > configure nsswitch.conf, probably the same way as the FreeBSD version
    > > in your real /etc directory.
    >
    > The problem is, NIS is a built in feature of both FreeBSD and Linux.
    > Configuring FreeBSD to utilize LDAP involves at least 4 additional
    > ports. You need pam_ldap, nss_ldap, openldap-client, and openssl.
    > The 4th of course being optional but highly desirable for security
    > reasons.
    >
    > Without this additional software neither FreeBSD nor the compat/Linux
    > install will do a lookup to an LDAP directory. It wouldn't know how,
    > as you have to properly configure both pam_ldap and nss_ldap so they
    > know how to query the directory.
    >
    > I would think that the most desirable behavior would be to have any
    > Linux calls to getpwuid_r() answered by the FreeBSD libraries rather
    > than a direct attempt to look at the passwd database. Well, assuming
    > that's what is happening. It just seems redundant to have to
    > configure authentication for the base system, then do it again for the
    > Linux compatiblity.
    >
    > Later on,
    > --
    > "When you come to a fork in the road....Take it"
    > - Yogi Berra
    >

    -- 
    "When you come to a fork in the road....Take it"
    - Yogi Berra
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Oleg Tarasov: "Re: PAM fails to change user password"

    Relevant Pages

    • Re: Linux, LDAP and the impossibility of handling editable PDFs
      ... Having FreeBSD as my favorite OS on servers AND hybrid boxes makes life easy - I thought and was touhgt wrong. ... Using 'pdftk' fails, it is not made to run in modern 64 bit environments only when using FreeBSD (linux seems to have no problem, especially Ubuntu does the thing). ... As in other professional environments we were far away from using simple user management and therefore there is a LDAP environment. ...
      (freebsd-questions)
    • RE: Linux, LDAP and the impossibility of handling editable PDFs
      ... Linux, LDAP and the impossibility of handling editable PDFs ... And here it comes that FreeBSD seems ...
      (freebsd-questions)
    • Re: Linux, LDAP and the impossibility of handling editable PDFs
      ... Having FreeBSD as my favorite OS on servers AND hybrid boxes makes life easy - I thought and was touhgt wrong. ... Using 'pdftk' fails, it is not made to run in modern 64 bit environments only when using FreeBSD (linux seems to have no problem, especially Ubuntu does the thing). ... As in other professional environments we were far away from using simple user management and therefore there is a LDAP environment. ...
      (freebsd-questions)
    • Re: Linux, LDAP and the impossibility of handling editable PDFs
      ... Having FreeBSD as my favorite OS on servers AND hybrid boxes makes life easy - I thought and was touhgt wrong. ... Using 'pdftk' fails, it is not made to run in modern 64 bit environments only when using FreeBSD (linux seems to have no problem, especially Ubuntu does the thing). ... As in other professional environments we were far away from using simple user management and therefore there is a LDAP environment. ...
      (freebsd-questions)
    • Re: install script to detemine Linux or FreeBSD environment?
      ... > it's running under FreeBSD or Linux, and whether pattern matching on the ... But you should use a case statement in your shell script. ...
      (comp.unix.bsd.freebsd.misc)