| 1 |
Hi, thanks for the replies. |
| 2 |
|
| 3 |
I apologize beforehand -- the threading on this topic will be messed up |
| 4 |
because I'm composing a new message, since I'm only subscribed to the |
| 5 |
digest version of the list. |
| 6 |
|
| 7 |
On Thu, 2005-07-21, Benjamin Smee wrote: |
| 8 |
|
| 9 |
> On Wed, 2005-07-20 at 00:31 -0700, Bill Johnstone wrote: |
| 10 |
|
| 11 |
> Well by putting your accounts into LDAP you really should be using |
| 12 |
> LDAP management tools to manage it. |
| 13 |
|
| 14 |
Well, LDAP-aware ones, anyway. An LDAP-aware adduser type program for |
| 15 |
example, which would prompt for the password associated with whatever |
| 16 |
dn the admin was trying to connect with. |
| 17 |
|
| 18 |
However, users should be able to do things like chsh and passwd without |
| 19 |
any knowledge of LDAP. And in fact, with pam_ldap, they can at least |
| 20 |
change their own passwords using plain ol' "passwd" from the shadow |
| 21 |
suite. |
| 22 |
|
| 23 |
>> I've noticed that typical programs such as chsh or chfn have PAM |
| 24 |
>> config files -- can PAM tricks be used to make them work with the |
| 25 |
>> fields accessible via nss_ldap? |
| 26 |
|
| 27 |
> They can be but personally I would recommend against it. The reason |
| 28 |
> for this is that in order to do so you have to setup a user that can |
| 29 |
> write to any of your users attributes (ie in effect a root style |
| 30 |
user) |
| 31 |
> and store that password in a file on the system. The security |
| 32 |
> implications of that bother me so personally I don't empower the old |
| 33 |
> style unix command line tools to do things like write back to the DIT |
| 34 |
> in that fashion. |
| 35 |
|
| 36 |
I don't see why this needs to be the case. Sure, you need a rootdn to |
| 37 |
initially populate the directory, but after that, it's easy to use ACLs |
| 38 |
to give each user write capability to his own user attributes, such as |
| 39 |
"loginShell". Moreover, it is possible to add a specific user to the |
| 40 |
directory who has write access to the the subtree under the ou (via |
| 41 |
ACLs again), and have that password stored within the directory db, |
| 42 |
just like all the other users have their passwords stored. This |
| 43 |
eliminates the need to have a "rootpw" stored within the slapd.conf , |
| 44 |
and due to the ACLs, makes it easier to restrict the ability of the |
| 45 |
administrative user and keep him from damaging the whole directory. |
| 46 |
|
| 47 |
>> Also, there do seem to be packages listed in the database, such as |
| 48 |
>> "cpu" and "diradm" that augment or replace the standard shadow suite |
| 49 |
>> to deal with the data via LDAP. However, none of these are marked |
| 50 |
as |
| 51 |
>> available on amd64. Why is that, and is there any way I can request |
| 52 |
>> or help with the packages being made available and tested on amd64? |
| 53 |
|
| 54 |
> They are all LDAP management tools NOT replacements for unix |
| 55 |
commands. |
| 56 |
|
| 57 |
They are LDAP-aware replacements for the unix commands from the shadow |
| 58 |
suite, or can be treated as such. pwdutils is another such LDAP-aware |
| 59 |
shadow suite replacement, which actually replaces commands such as |
| 60 |
"passwd" and "chsh", though its documentation leaves something to be |
| 61 |
desired. There is no ebuild at all for pwdutils, though. |
| 62 |
|
| 63 |
> As to why they are not available on amd64 can't help there sorry. |
| 64 |
|
| 65 |
Is there an individual or dev group within gentoo that I should try to |
| 66 |
contact? robbat2 <at> gentoo . org seems to be involved with both the |
| 67 |
openldap ebuild, as well as diradm ... |
| 68 |
|
| 69 |
__________________________________________________ |
| 70 |
Do You Yahoo!? |
| 71 |
Tired of spam? Yahoo! Mail has the best spam protection around |
| 72 |
http://mail.yahoo.com |
| 73 |
-- |
| 74 |
gentoo-server@g.o mailing list |
Archives