LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-19-2009, 07:31 PM   #1
icga
Member
 
Registered: Nov 2004
Distribution: fc4
Posts: 36

Rep: Reputation: 15
PAM adduser?


I am trying to implement a centralized user system where all the users and passwords are stored on a centralized system. My first instinct was to use radius, since we already have that going for a number of different services. However after reading up on pam_radius, it appears that you must first create the user locally on each system and all pam_radius does is act as a central password repository.

Is this true, and if so, is there any system out there that does not require you to create the user locally first?

Thanks!
 
Old 11-19-2009, 07:37 PM   #2
jhwilliams
Senior Member
 
Registered: Apr 2007
Location: Portland, OR
Distribution: Debian, Android, LFS
Posts: 1,168

Rep: Reputation: 206Reputation: 206Reputation: 206
PAM is a localhost kind of ballgame. People seem to like and use LDAP authentication well enough these days. It depends largely on the deployment and interface of the "centralized user system" you're designing. Heck, some people like to stuff user auth data in a MySQL database and auth it with a PHP form.
 
Old 11-19-2009, 09:54 PM   #3
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Quote:
Originally Posted by icga View Post
I am trying to implement a centralized user system where all the users and passwords are stored on a centralized system. My first instinct was to use radius, since we already have that going for a number of different services. However after reading up on pam_radius, it appears that you must first create the user locally on each system and all pam_radius does is act as a central password repository.

Is this true, and if so, is there any system out there that does not require you to create the user locally first?

Thanks!
You can use an LDAP directory to centralize your usernames, passwords, etc., and use PAM modules to integrate PAM on each of your computers to this centralized LDAP directory.

This will get you started, but there's lots more reading to do:
http://ldots.org/ldap
 
Old 11-19-2009, 10:26 PM   #4
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
I've just ordered a book that looks good...you might want to check it out too.

Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers: A comprehensive and practical guide to PAM for Linux: how modules work and how to implement them
https://www.amazon.com/gp/product/19...ss_T15_product

And, of course:

LDAP System Administration
http://www.amazon.com/LDAP-System-Ad...ref=pd_sim_b_2
 
Old 11-19-2009, 10:57 PM   #5
chiragrk
Member
 
Registered: Nov 2009
Location: India
Distribution: Xandros, Ubuntu
Posts: 74

Rep: Reputation: 16
Quote:
Originally Posted by Jim Bengtson View Post
You can use an LDAP directory to centralize your usernames, passwords, etc., and use PAM modules to integrate PAM on each of your computers to this centralized LDAP directory.

This will get you started, but there's lots more reading to do:
http://ldots.org/ldap
You should use a centralized LDAP - However I wont recommend all systems having to lookup to this centralized LDAP all the time - especially if your servers are connected via WAN links because
1) Response times will be high
2) In case centralized LDAP fails you're in for trouble.

I would recommend that you use centralized LDAP for user management and then have this LDAP data replicated across all the other servers. OpenLDAP does support master/slave modes. The same can be accomplished using MySQL master-slave mode.
 
Old 11-21-2009, 03:01 PM   #6
icga
Member
 
Registered: Nov 2004
Distribution: fc4
Posts: 36

Original Poster
Rep: Reputation: 15
So by using LDAP, the local users are dynamically added and deleted as the user logs into and logs out of the server?

Is it possible to do this with pam_radius?
 
Old 11-21-2009, 06:25 PM   #7
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by chiragrk View Post
I would recommend that you use centralized LDAP for user management and then have this LDAP data replicated across all the other servers. OpenLDAP does support master/slave modes. The same can be accomplished using MySQL master-slave mode.
Why would you ever replicate the LDAP information across all other servers? That kinda defeats the purpose of LDAP and also becomes a huge pain to manage and troubleshoot.


OP. LDAP is the way you want to go pam_radius can work with ldap but there is a ldap module for pam and should use that. If you have a large environment look into LDAP multi-master and just set up like 2-3 LDAP servers.
 
Old 11-21-2009, 11:20 PM   #8
chiragrk
Member
 
Registered: Nov 2009
Location: India
Distribution: Xandros, Ubuntu
Posts: 74

Rep: Reputation: 16
Quote:
Originally Posted by slimm609 View Post
Why would you ever replicate the LDAP information across all other servers? That kinda defeats the purpose of LDAP and also becomes a huge pain to manage and troubleshoot.
Thats how you ensure a single server isn't loaded with all the LDAP queries, make it scalable. Never had _huge_ pain to troubleshoot such replicated LDAP directories, little bit painful, but what isn't?
 
Old 11-22-2009, 12:23 AM   #9
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by chiragrk View Post
Thats how you ensure a single server isn't loaded with all the LDAP queries, make it scalable. Never had _huge_ pain to troubleshoot such replicated LDAP directories, little bit painful, but what isn't?
Replicating to ALL servers or all LDAP slaves?
 
  


Reply

Tags
pam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with PAM and PAM modules bourne Linux - Security 6 11-02-2008 11:48 PM
PAM module:passwd:- how many character validate by pam library amit_pansuria Linux - General 3 10-21-2008 01:19 AM
adduser jp_ Linux - General 6 10-18-2005 02:11 PM
vsftpd + pam + virtual users - Pam cannot load database file. mdkelly069 Linux - Networking 3 09-22-2004 11:07 PM


All times are GMT -5. The time now is 09:56 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration