Re: UNIX Authentication

From: Ian Clelland (ian_at_veryfresh.com)
Date: 12/31/03


Date: Wed, 31 Dec 2003 13:29:35 -0800
To: focus-linux@securityfocus.com

On Mon, Dec 22, 2003 at 09:25:11AM -0700, Ben Nelson wrote:
> Gareth Bromley wrote:
> >- LDAP seems to be the preferred method ongoing for SUN, and does
> >everyting NIS/NIS+ does with SSL/TLS style encryption if required.
>
> I've thought of switching my environment over to LDAP, but I've been
> unable to find anything like NIS netgroups implemented with LDAP. Are
> you saying that there is some mechanism for this now?
>
> I'd love to switch over to LDAP, but I'm currently limiting access to
> certain classes of machines to certain classes of users....with NIS
> netgroup. I've heard of people using LDAP along side NIS (just to serve
> the netgroup map), but I'd rather have all the functionality in one system.

nss_ldap, from padl.com, does appear to support netgroups in LDAP --
There is a configuration directive for it, and the code to pull the
netgroup map from the directory exists, at least in the latest source
from the web site. I haven't tried it personally, so I can't say if it
works or not.

If the number of hosts is small enough, it is also possible to restrict
access using pam_ldap's "pam_check_host_attr" directive. You would have
to include a list of allowed hosts (or "*") for each user in the
directory, so it might not work very well if you have a large number of
machines in different groups, but it is sufficient for small networks.

--
Ian Clelland
<ian@veryfresh.com>