[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: porting PAM

To: "Alejandro G. Belluscio" <baldusi@uol.com.ar>
Subject: Re: porting PAM
From: Dries Schellekens <gwyllion@ace.ulyssis.org>
Date: Thu, 29 May 2003 22:33:01 +0200 (CEST)
Cc: tech@openbsd.org
References: <Pine.LNX.4.44.0305291308110.2371-100000@paris.peachisland.com> <1091511661.20030529152557@uol.com.ar>

On Thu, 29 May 2003, Alejandro G. Belluscio wrote:

> Thursday, May 29, 2003, 2:19:10 PM, you wrote:
> NNF> I came across ypAnything last time I looked through PAM vs. BSD auth
> NNF> discussions. I haven't tried it myself but it looks fairly simple and
> NNF> small and provides functionality of nsswitch. Here's the link:
> NNF> http://www.radux.com/ypAnything/
> >> Why not write a NIS -> LDAP proxy?
> >>
> >> That would take the complexity out of libc and, by implication,
> >> privileged code.
>
>    After so much discussion, I would like to know the technical
> difficulties to have BSD Auth and LDAP. Pointers anyone?

You could start by looking at login_ldap by Peter Werner
(http://www.ifost.org.au/~peterw/). It's already it the ports tree:
sysutils/login_ldap.

According to the CAVEATS section of its manpage login_ldap(8)
  OpenBSD does not ship with an ldap server in the default install, however
  OpenLDAP is available via packages(7).

  Until OpenBSD gets an nsswitch implementation or something similar, every
  user in the LDAP server will need to have a valid passwd file entry. This
  can be achieved by using the useradd(8) utility with similar arguments to
  this: useradd -m -d /home/peterw -s /bin/sh -L ldap peterw

  As of version 3.3 login_ldap no longer installs setuid root.  It is
  believed that elevated priveledges are not neccessary in most cases, but
  potentially this could cause a problem.  Making the login_ldap binary
  setuid root should be tried as part of site installation debugging if
  things aren't working.  If you find you do need the setuid bit set,
  please let the authors know.

http://www.deadly.org/article.php3?sid=20030311135606 lists some of the
problems of login_ldap
* OpenBSD lacks a nsswitch implementation. Luke Mewburn wrote a nsswitch
implementation for NetBSD and this was ported to FreeBSD 5.
* login_ldap requires OpenLDAP. Someone suggested using tinyldap instead
(http://fefe.de/tinyldap/).

Cheers,

Dries
--
Dries Schellekens
email: gwyllion@ulyssis.org

Follow-Ups:
- Re: porting PAM
  - From: Chuck Yerkes <chuck+obsd@2003.snew.com>

References:
- Re: porting PAM
  - From: "Nikolai N. Fetissov" <nickf@peachisland.com>
- Re: porting PAM
  - From: "Alejandro G. Belluscio" <baldusi@uol.com.ar>

Prev by Date: Re: porting PAM
Next by Date: Re: porting PAM
Prev by thread: Re: porting PAM
Next by thread: Re: porting PAM
Index(es):
- Date
- Thread