1 |
Hello. |
2 |
|
3 |
Finally got some time to pick this discussion back up. |
4 |
|
5 |
On Wed, 2005-07-27 Benjamin Smee wrote: |
6 |
|
7 |
> Instead I think it is much more secure to simply require an auth bind |
8 |
> BEFORE giving away ANY information, even information as trivial as to |
9 |
> the layout of the DIT or the subtree's etc etc. |
10 |
|
11 |
OK, I understand what you are saying. As far as user authentication |
12 |
goes, RFC 2307bis already describes the schema and organization |
13 |
expected when LDAP is used for a centralized user directory. However, |
14 |
you may be running any number of customizations, etc., so I can see why |
15 |
you might feel the way you do on this issue. I would agree with your |
16 |
earlier characterization that your attitude is more of a paranoid one |
17 |
than most admins have :) . |
18 |
|
19 |
> the changes you made for system-auth in /etc/pam.d/chsh should do it. |
20 |
|
21 |
In system-auth, the changes required are listed (for example) in the |
22 |
Gentoo LDAP guide: http://www.gentoo.org/doc/en/ldap-howto.xml |
23 |
|
24 |
passwd's PAM configuration works as-is with LDAP once system-auth is |
25 |
properly configured, since it seems to stack on system-auth by using |
26 |
"include system-auth" for the auth, account, and password directives. |
27 |
Making sure these "include system-auth" directives are present in the |
28 |
chsh PAM config file does not change the behavior of chsh in that it |
29 |
fails if it does not literally find the user in /etc/passwd . |
30 |
|
31 |
I'm not sure if I'm missing additional trickery that can be done in the |
32 |
PAM config files for chsh or chfn . Additionally, I haven't been able |
33 |
to find the "include" keyword in the PAM docs. |
34 |
|
35 |
> I see, precisely what would your wrapper tools do that would be |
36 |
better |
37 |
> then just invoking ldapX ? You have said that your users are happy on |
38 |
> the unix command line so I am not sure what you are trying to gain |
39 |
via |
40 |
> using wrappers. |
41 |
|
42 |
Do you think it's reasonable to expect Unix users to mess around with |
43 |
LDIF files and syntax, just because they're OK in a command-line |
44 |
environment? I certainly don't. |
45 |
|
46 |
Wrappers could easily be written to emulate the shadow suite utilities, |
47 |
and aside from passing on the additional LDAP password request to the |
48 |
user, an "ldapmodify-wrapped" chsh or chfn would work equivalently from |
49 |
the perspective of the end-user to the Unix counterparts. |
50 |
|
51 |
Aside from the fact "intermediate" level users who know about |
52 |
/etc/passwd might get confused by the fact it has nothing but system |
53 |
accounts on it, novice and advanced users alike should see the system |
54 |
as a standard Unix environment, and aside from the occasional extra |
55 |
password prompt, the fact LDAP is being used should be pretty |
56 |
transparent. |
57 |
|
58 |
> The point is that all of the usual command line tools are NOT LDAP |
59 |
> aware (eg poppasswd_ceti) so that when using auth binds and LDAP the |
60 |
> tool breaks because it gets an extra prompt request. |
61 |
|
62 |
I suppose it depends on what you define as the "usual command line |
63 |
tools" -- I certainly wouldn't consider poppasswd_ceti a usual |
64 |
command-line tool from the perspective of a Unix user. I understand |
65 |
again what you're getting at, but for a Unix user at a command-line, at |
66 |
worst he will see an additional password prompt, or the LDAP string, |
67 |
but it won't require any more information than he already has (namely |
68 |
his login and password). |
69 |
|
70 |
I agree that infratructure built atop the standard command-line tools |
71 |
that deal with /etc/passwd will be likely to break if they assume |
72 |
typical shadow suite behavior. |
73 |
|
74 |
> Even if they do and you are trying to use them in an |
75 |
> automated manner to manage OTHER accounts, then you must keep the |
76 |
auth |
77 |
> bind password somewhere on the system in a file. |
78 |
|
79 |
Again, I refer to my designated "directory manager" user described |
80 |
earlier in this thread. Connecting to the directory as that user is |
81 |
something only root/the sysadmin will have to do to add/remove users or |
82 |
groups or group memberships. This technique keeps the password for |
83 |
that user in the same directory as the user passwords, and not in |
84 |
slapd.conf or similar. |
85 |
|
86 |
Assuming an LDAP-aware replacement for the shadow suite (like the |
87 |
packages I mentioned earlier in this thread), the user will at most get |
88 |
an extra password prompt if he wants to change say, his login shell, |
89 |
since these tools will authenticate to the directory as the user |
90 |
himself and the user will have the ability to write to this attribute |
91 |
via the LDAP ACLs. |
92 |
|
93 |
|
94 |
|
95 |
____________________________________________________ |
96 |
Start your day with Yahoo! - make it your home page |
97 |
http://www.yahoo.com/r/hs |
98 |
|
99 |
-- |
100 |
gentoo-server@g.o mailing list |