LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 01-27-2014, 04:18 AM   #1
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453

Rep: Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154
Missing Linux-PAM as a showstopper for LDAP server


I've been spending a few days and a few long nights experimenting with setting up an LDAP server for central authentication.

I have a new client (medium-size town hall here in South France) who's considering migrating 35 desktop clients from Windows to Linux. Their server is already running Zentyal, with all user accounts on LDAP. Which means I have to configure LDAP authentication for Slackware clients.

The non-inclusion of Linux-PAM in Slackware makes this task nearly impossible. I'm facing the choice of rebuilding a bunch of base packages... or just quitting. This is a real showstopper, and the only choice I have is use another distribution. Which sucks.
 
Old 01-27-2014, 04:24 AM   #2
ponce
LQ Guru
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 7,068

Rep: Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145
have you considered installing Slackware-14.0 with vbatts' stuff?

http://www.slackware.com/~vbatts/pam/

Last edited by ponce; 01-27-2014 at 04:27 AM.
 
Old 01-27-2014, 04:34 AM   #3
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-15.0
Posts: 11,048

Rep: Reputation: Disabled
And you could have a look to:
How can I authenticate a Slackware client against an LDAP server without PAM?

Last edited by Didier Spaier; 01-27-2014 at 04:36 AM.
 
1 members found this post helpful.
Old 01-27-2014, 04:42 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
Quote:
Originally Posted by Didier Spaier View Post
But that isn't doing any **AUTHENTICATION** against LDAP at all, merely user info. You'd still need a passwd / shadow entry on every box.
 
Old 01-27-2014, 05:18 AM   #5
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453

Original Poster
Rep: Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154
Quote:
Originally Posted by Didier Spaier View Post
As far as I can tell, this is just false information.
 
Old 01-27-2014, 05:21 AM   #6
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453

Original Poster
Rep: Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154
Quote:
Originally Posted by ponce View Post
have you considered installing Slackware-14.0 with vbatts' stuff?

http://www.slackware.com/~vbatts/pam/
I know that page, but as far as I can tell, the stuff is only available for -current. There's no information about the Slackware version, e. g. 13.37, 14.0, 14.1. Of course I could try and figure this all out by myself, but in that case, this is clearly the distributor's job.
 
Old 01-27-2014, 06:11 AM   #7
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105
Quote:
Originally Posted by kikinovak View Post
I know that page, but as far as I can tell, the stuff is only available for -current. There's no information about the Slackware version, e. g. 13.37, 14.0, 14.1.
The last update there was in August 2012, so it has never been tried on Slackware 14.1.

Quote:
Of course I could try and figure this all out by myself, but in that case, this is clearly the distributor's job.
Vincent's files are a voluntary effort, he was not paid or asked to produce this. This collection of sources, diffs and packages must be seen "as is" because it is not going to be part of the Slackware distribution any time soon. I estimate that it should be feasible to update the sources to match Slackware 14.1 but this is of course a different kind of enhancement than adding a MLED layer on top of Slackware - you are effectively changing the way your Slackware computers deal with user authentication. If you apply this to a stable Slackware release, the maintenance effort of adding PAM should be minimal but not zero (for instance you would have to recompile an openssl package if Slackare released a vulnerability fix in /patches).

Eric
 
Old 01-27-2014, 06:13 AM   #8
ponce
LQ Guru
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 7,068

Rep: Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145
some clarifications:
- being it updated on 29 sep 2012, it's updated at Slackware 14.0 (released on 26 sep 2012);
- AFAIK, as long as it doesn't get officially in Slackware it's testing stuff (as written on the page), so use it at your own risk.

I suggested that because I thought you will be able to support it yourself (you can also see what's changed and rebuild 14.1 packages), but if I have misunderstood and you're looking for an official PAM supported distribution with all the bells and whistles maybe you're better off with something else.

EDIT: Eric beated me (and actually answered better)!

Last edited by ponce; 01-27-2014 at 06:15 AM.
 
Old 01-27-2014, 06:21 AM   #9
bartgymnast
Member
 
Registered: Feb 2003
Location: Almere, Netherlands
Distribution: slack 7.1 till latest and -current, LFS
Posts: 368

Rep: Reputation: 165Reputation: 165
@kikinovak

You can take a look at my slackbuilds (build for 14.1)

http://slackware.omgwtfroflol.com/slackbuilds/source/
 
1 members found this post helpful.
Old 01-27-2014, 09:26 AM   #10
Richard Cranium
Senior Member
 
Registered: Apr 2009
Location: McKinney, Texas
Distribution: Slackware64 15.0
Posts: 3,858

Rep: Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225
Quote:
Originally Posted by acid_kewpie View Post
But that isn't doing any **AUTHENTICATION** against LDAP at all, merely user info. You'd still need a passwd / shadow entry on every box.
You don't need such a thing for NIS, so I'd be surprised that you would for ldap.
 
Old 01-27-2014, 09:39 AM   #11
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333

Rep: Reputation: Disabled
Quote:
Originally Posted by Richard Cranium View Post
You don't need such a thing for NIS, so I'd be surprised that you would for ldap.
NIS distributes Unix user and group database files (/etc/passwd, /etc/group, /etc/shadow, /etc/gshadow) across all systems. OpenLDAP is a centralized system and doesn't touch any of these files. To locate a user or group object or authenticate a user, one must query the LDAP service.

Not only do you have to alter the way every program in the "shadow" suite works, you also have to provide new NSS libraries. PAM does all that and more.
 
Old 01-27-2014, 09:52 AM   #12
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333

Rep: Reputation: Disabled
Quote:
Originally Posted by kikinovak View Post
As far as I can tell, this is just false information.
It seems he got as far as the NSS libraries, but no further. I don't see how one could ever progress beyond that without PAM.

I have some PAM scripts for Slackware if you're interested. I have one for PAM itself + cracklib, one for the shadow suite, one for OpenSSH and one for Samba. They all attempt to check for the latest versions (for the Slackware packages that means checking for a later version in patches/source) before downloading, compiling and installing.

I haven't gotten as far as creating proper .txz packages for Linux-PAM and cracklib, so the scripts simply compile and install those directly from source.
 
Old 01-27-2014, 10:18 AM   #13
Richard Cranium
Senior Member
 
Registered: Apr 2009
Location: McKinney, Texas
Distribution: Slackware64 15.0
Posts: 3,858

Rep: Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225
Quote:
Originally Posted by Ser Olmy View Post
NIS distributes Unix user and group database files (/etc/passwd, /etc/group, /etc/shadow, /etc/gshadow) across all systems.
Please explain. I believe this is incorrect, but perhaps I am misunderstanding what you meant by the above.
 
Old 01-27-2014, 10:19 AM   #14
BratPit
Member
 
Registered: Jan 2011
Posts: 250

Rep: Reputation: 100Reputation: 100
Maybe kerberos way for authenticate users from LDAP???

http://canich.net/slackware/krb5.html
 
Old 01-27-2014, 10:28 AM   #15
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333

Rep: Reputation: Disabled
Quote:
Originally Posted by BratPit View Post
Maybe kerberos way for authenticate users from LDAP???

http://canich.net/slackware/krb5.html
Huh? Are you suggesting somehow using OpenLDAP as a backend for Kerberos? It that even possible? I don't think so.
Also, that document has several issues:
  • It does not patch or alter the shadow suite, only OpenSSH. None of the shadow applications (login et al) will know anything about Kerberos.
  • User account integration is non-existent. I quote: "Note: the principal must be associated with an account on the system, either in the local passwd database or via a network system such as NIS or LDAP." In other words, a nonsensical solution that requires all accounts to be created in two separate user databases manually.
  • The document suggests installing MIT Kerberos, which is probably a bad idea, as that is likely to break Samba 4. Heimdal is not only more or less the de facto standard on Linux, it also contains significantly better functionality.

Last edited by Ser Olmy; 01-27-2014 at 10:38 AM.
 
  


Reply

Tags
ldap, pam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
pam-ldap and pam-mysql gangadhar402 Linux - Software 2 03-09-2013 04:50 AM
sudo: Can't contact LDAP server with SSL and PAM sebastienliu Linux - Server 1 01-15-2013 12:02 AM
Enable freenx-server with pam/ldap brianmcgee Linux - Software 1 09-03-2010 03:29 AM
Openssh + PAM + LDAP fails only with LDAP users asimula Linux - Newbie 2 04-01-2010 07:10 AM
School switching some boxes to linux, showstopper: samba idamlaj Linux - Networking 5 05-22-2005 06:55 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 12:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration