| 1 |
Hello. |
| 2 |
|
| 3 |
Finally got some time to pick this discussion back up. |
| 4 |
|
| 5 |
On Wed, 2005-07-27 Benjamin Smee wrote: |
| 6 |
|
| 7 |
> Instead I think it is much more secure to simply require an auth bind |
| 8 |
> BEFORE giving away ANY information, even information as trivial as to |
| 9 |
> the layout of the DIT or the subtree's etc etc. |
| 10 |
|
| 11 |
OK, I understand what you are saying. As far as user authentication |
| 12 |
goes, RFC 2307bis already describes the schema and organization |
| 13 |
expected when LDAP is used for a centralized user directory. However, |
| 14 |
you may be running any number of customizations, etc., so I can see why |
| 15 |
you might feel the way you do on this issue. I would agree with your |
| 16 |
earlier characterization that your attitude is more of a paranoid one |
| 17 |
than most admins have :) . |
| 18 |
|
| 19 |
> the changes you made for system-auth in /etc/pam.d/chsh should do it. |
| 20 |
|
| 21 |
In system-auth, the changes required are listed (for example) in the |
| 22 |
Gentoo LDAP guide: http://www.gentoo.org/doc/en/ldap-howto.xml |
| 23 |
|
| 24 |
passwd's PAM configuration works as-is with LDAP once system-auth is |
| 25 |
properly configured, since it seems to stack on system-auth by using |
| 26 |
"include system-auth" for the auth, account, and password directives. |
| 27 |
Making sure these "include system-auth" directives are present in the |
| 28 |
chsh PAM config file does not change the behavior of chsh in that it |
| 29 |
fails if it does not literally find the user in /etc/passwd . |
| 30 |
|
| 31 |
I'm not sure if I'm missing additional trickery that can be done in the |
| 32 |
PAM config files for chsh or chfn . Additionally, I haven't been able |
| 33 |
to find the "include" keyword in the PAM docs. |
| 34 |
|
| 35 |
> I see, precisely what would your wrapper tools do that would be |
| 36 |
better |
| 37 |
> then just invoking ldapX ? You have said that your users are happy on |
| 38 |
> the unix command line so I am not sure what you are trying to gain |
| 39 |
via |
| 40 |
> using wrappers. |
| 41 |
|
| 42 |
Do you think it's reasonable to expect Unix users to mess around with |
| 43 |
LDIF files and syntax, just because they're OK in a command-line |
| 44 |
environment? I certainly don't. |
| 45 |
|
| 46 |
Wrappers could easily be written to emulate the shadow suite utilities, |
| 47 |
and aside from passing on the additional LDAP password request to the |
| 48 |
user, an "ldapmodify-wrapped" chsh or chfn would work equivalently from |
| 49 |
the perspective of the end-user to the Unix counterparts. |
| 50 |
|
| 51 |
Aside from the fact "intermediate" level users who know about |
| 52 |
/etc/passwd might get confused by the fact it has nothing but system |
| 53 |
accounts on it, novice and advanced users alike should see the system |
| 54 |
as a standard Unix environment, and aside from the occasional extra |
| 55 |
password prompt, the fact LDAP is being used should be pretty |
| 56 |
transparent. |
| 57 |
|
| 58 |
> The point is that all of the usual command line tools are NOT LDAP |
| 59 |
> aware (eg poppasswd_ceti) so that when using auth binds and LDAP the |
| 60 |
> tool breaks because it gets an extra prompt request. |
| 61 |
|
| 62 |
I suppose it depends on what you define as the "usual command line |
| 63 |
tools" -- I certainly wouldn't consider poppasswd_ceti a usual |
| 64 |
command-line tool from the perspective of a Unix user. I understand |
| 65 |
again what you're getting at, but for a Unix user at a command-line, at |
| 66 |
worst he will see an additional password prompt, or the LDAP string, |
| 67 |
but it won't require any more information than he already has (namely |
| 68 |
his login and password). |
| 69 |
|
| 70 |
I agree that infratructure built atop the standard command-line tools |
| 71 |
that deal with /etc/passwd will be likely to break if they assume |
| 72 |
typical shadow suite behavior. |
| 73 |
|
| 74 |
> Even if they do and you are trying to use them in an |
| 75 |
> automated manner to manage OTHER accounts, then you must keep the |
| 76 |
auth |
| 77 |
> bind password somewhere on the system in a file. |
| 78 |
|
| 79 |
Again, I refer to my designated "directory manager" user described |
| 80 |
earlier in this thread. Connecting to the directory as that user is |
| 81 |
something only root/the sysadmin will have to do to add/remove users or |
| 82 |
groups or group memberships. This technique keeps the password for |
| 83 |
that user in the same directory as the user passwords, and not in |
| 84 |
slapd.conf or similar. |
| 85 |
|
| 86 |
Assuming an LDAP-aware replacement for the shadow suite (like the |
| 87 |
packages I mentioned earlier in this thread), the user will at most get |
| 88 |
an extra password prompt if he wants to change say, his login shell, |
| 89 |
since these tools will authenticate to the directory as the user |
| 90 |
himself and the user will have the ability to write to this attribute |
| 91 |
via the LDAP ACLs. |
| 92 |
|
| 93 |
|
| 94 |
|
| 95 |
____________________________________________________ |
| 96 |
Start your day with Yahoo! - make it your home page |
| 97 |
http://www.yahoo.com/r/hs |
| 98 |
|
| 99 |
-- |
| 100 |
gentoo-server@g.o mailing list |
Archives