Subject: Re: (long) Re: Authenticating with LDAP
To: Chuck Yerkes <email@example.com>
From: Stephane Bortzmeyer <firstname.lastname@example.org>
Date: 01/21/2003 11:29:28
On Mon, Jan 20, 2003 at 03:11:56PM -0500,
Chuck Yerkes <email@example.com> wrote
a message of 109 lines which said:
> Clearly, more than just authentication hooks are needed.
> If I log in, the getpw* routines (and the equiv for various services
> and info) need to be populated with my information.
I agree. My complete solution, for the Debian machines, is based on
PAM+NSS, both using LDAP. Same thing for Solaris. For the Tru64
machines, SIA handles both.
> to be able to use "the usual" (/etc/passwd), it should likely
> call an abstracted routine that can use modules installed
> by the admin.
> You drop in a module that supports getting information via LDAP
> (getting the festival of fields that create a passwd line,
> barring the actual password field), and it will work.
The GNU libc has this for a very long time.
> With LDAP specifically, some design points need to be considered.
> LDAP servers SHOULD be contacted over a secure link.
I agree. (Do note, however, that LDAP, unlike, say, HTTP, is mostly
used over internal links, where sniffing is more difficult.) I use
LDAP+TLS but IPsec might be a better solution in the future.
> So using a "helper" daemon to maintain a connection is called
> for to alleviate this.
Yes. I use nscd (included in the GNU libc).
> The OpenLDAP folks are aware of people's desire for such a
It already exists.