1 |
Hi, thanks for the replies. |
2 |
|
3 |
I apologize beforehand -- the threading on this topic will be messed up |
4 |
because I'm composing a new message, since I'm only subscribed to the |
5 |
digest version of the list. |
6 |
|
7 |
On Thu, 2005-07-21, Benjamin Smee wrote: |
8 |
|
9 |
> On Wed, 2005-07-20 at 00:31 -0700, Bill Johnstone wrote: |
10 |
|
11 |
> Well by putting your accounts into LDAP you really should be using |
12 |
> LDAP management tools to manage it. |
13 |
|
14 |
Well, LDAP-aware ones, anyway. An LDAP-aware adduser type program for |
15 |
example, which would prompt for the password associated with whatever |
16 |
dn the admin was trying to connect with. |
17 |
|
18 |
However, users should be able to do things like chsh and passwd without |
19 |
any knowledge of LDAP. And in fact, with pam_ldap, they can at least |
20 |
change their own passwords using plain ol' "passwd" from the shadow |
21 |
suite. |
22 |
|
23 |
>> I've noticed that typical programs such as chsh or chfn have PAM |
24 |
>> config files -- can PAM tricks be used to make them work with the |
25 |
>> fields accessible via nss_ldap? |
26 |
|
27 |
> They can be but personally I would recommend against it. The reason |
28 |
> for this is that in order to do so you have to setup a user that can |
29 |
> write to any of your users attributes (ie in effect a root style |
30 |
user) |
31 |
> and store that password in a file on the system. The security |
32 |
> implications of that bother me so personally I don't empower the old |
33 |
> style unix command line tools to do things like write back to the DIT |
34 |
> in that fashion. |
35 |
|
36 |
I don't see why this needs to be the case. Sure, you need a rootdn to |
37 |
initially populate the directory, but after that, it's easy to use ACLs |
38 |
to give each user write capability to his own user attributes, such as |
39 |
"loginShell". Moreover, it is possible to add a specific user to the |
40 |
directory who has write access to the the subtree under the ou (via |
41 |
ACLs again), and have that password stored within the directory db, |
42 |
just like all the other users have their passwords stored. This |
43 |
eliminates the need to have a "rootpw" stored within the slapd.conf , |
44 |
and due to the ACLs, makes it easier to restrict the ability of the |
45 |
administrative user and keep him from damaging the whole directory. |
46 |
|
47 |
>> Also, there do seem to be packages listed in the database, such as |
48 |
>> "cpu" and "diradm" that augment or replace the standard shadow suite |
49 |
>> to deal with the data via LDAP. However, none of these are marked |
50 |
as |
51 |
>> available on amd64. Why is that, and is there any way I can request |
52 |
>> or help with the packages being made available and tested on amd64? |
53 |
|
54 |
> They are all LDAP management tools NOT replacements for unix |
55 |
commands. |
56 |
|
57 |
They are LDAP-aware replacements for the unix commands from the shadow |
58 |
suite, or can be treated as such. pwdutils is another such LDAP-aware |
59 |
shadow suite replacement, which actually replaces commands such as |
60 |
"passwd" and "chsh", though its documentation leaves something to be |
61 |
desired. There is no ebuild at all for pwdutils, though. |
62 |
|
63 |
> As to why they are not available on amd64 can't help there sorry. |
64 |
|
65 |
Is there an individual or dev group within gentoo that I should try to |
66 |
contact? robbat2 <at> gentoo . org seems to be involved with both the |
67 |
openldap ebuild, as well as diradm ... |
68 |
|
69 |
__________________________________________________ |
70 |
Do You Yahoo!? |
71 |
Tired of spam? Yahoo! Mail has the best spam protection around |
72 |
http://mail.yahoo.com |
73 |
-- |
74 |
gentoo-server@g.o mailing list |