[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: porting PAM
On Thu, 29 May 2003, Alejandro G. Belluscio wrote:
> Thursday, May 29, 2003, 2:19:10 PM, you wrote:
> NNF> I came across ypAnything last time I looked through PAM vs. BSD auth
> NNF> discussions. I haven't tried it myself but it looks fairly simple and
> NNF> small and provides functionality of nsswitch. Here's the link:
> NNF> http://www.radux.com/ypAnything/
> >> Why not write a NIS -> LDAP proxy?
> >> That would take the complexity out of libc and, by implication,
> >> privileged code.
> After so much discussion, I would like to know the technical
> difficulties to have BSD Auth and LDAP. Pointers anyone?
You could start by looking at login_ldap by Peter Werner
(http://www.ifost.org.au/~peterw/). It's already it the ports tree:
According to the CAVEATS section of its manpage login_ldap(8)
OpenBSD does not ship with an ldap server in the default install, however
OpenLDAP is available via packages(7).
Until OpenBSD gets an nsswitch implementation or something similar, every
user in the LDAP server will need to have a valid passwd file entry. This
can be achieved by using the useradd(8) utility with similar arguments to
this: useradd -m -d /home/peterw -s /bin/sh -L ldap peterw
As of version 3.3 login_ldap no longer installs setuid root. It is
believed that elevated priveledges are not neccessary in most cases, but
potentially this could cause a problem. Making the login_ldap binary
setuid root should be tried as part of site installation debugging if
things aren't working. If you find you do need the setuid bit set,
please let the authors know.
http://www.deadly.org/article.php3?sid=20030311135606 lists some of the
problems of login_ldap
* OpenBSD lacks a nsswitch implementation. Luke Mewburn wrote a nsswitch
implementation for NetBSD and this was ported to FreeBSD 5.
* login_ldap requires OpenLDAP. Someone suggested using tinyldap instead