Subject: Re: (long) Re: Authenticating with LDAP
To: Chuck Yerkes <chuck+nbsd@2003.snew.com>
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
List: netbsd-users
Date: 01/21/2003 11:29:28
On Mon, Jan 20, 2003 at 03:11:56PM -0500,
 Chuck Yerkes <chuck+nbsd@2003.snew.com> wrote 
 a message of 109 lines which said:

> Clearly, more than just authentication hooks are needed.
> 
> If I log in, the getpw* routines (and the equiv for various services
> and info) need to be populated with my information.

I agree. My complete solution, for the Debian machines, is based on
PAM+NSS, both using LDAP. Same thing for Solaris. For the Tru64
machines, SIA handles both.
 
> to be able to use "the usual" (/etc/passwd), it should likely
> call an abstracted routine that can use modules installed
> by the admin.
> 
> You drop in a module that supports getting information via LDAP
> (getting the festival of fields that create a passwd line,
> barring the actual password field), and it will work.

The GNU libc has this for a very long time.
 
> With LDAP specifically, some design points need to be considered.
> LDAP servers SHOULD be contacted over a secure link.  

I agree. (Do note, however, that LDAP, unlike, say, HTTP, is mostly
used over internal links, where sniffing is more difficult.) I use
LDAP+TLS but IPsec might be a better solution in the future.

> So using a "helper" daemon to maintain a connection is called
> for to alleviate this. 

Yes. I use nscd (included in the GNU libc).

> The OpenLDAP folks are aware of people's desire for such a
> tool 

It already exists.