LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Missing Linux-PAM as a showstopper for LDAP server (http://www.linuxquestions.org/questions/slackware-14/missing-linux-pam-as-a-showstopper-for-ldap-server-4175492713/)

kikinovak 01-27-2014 04:18 AM

Missing Linux-PAM as a showstopper for LDAP server
 
I've been spending a few days and a few long nights experimenting with setting up an LDAP server for central authentication.

I have a new client (medium-size town hall here in South France) who's considering migrating 35 desktop clients from Windows to Linux. Their server is already running Zentyal, with all user accounts on LDAP. Which means I have to configure LDAP authentication for Slackware clients.

The non-inclusion of Linux-PAM in Slackware makes this task nearly impossible. I'm facing the choice of rebuilding a bunch of base packages... or just quitting. This is a real showstopper, and the only choice I have is use another distribution. Which sucks.

ponce 01-27-2014 04:24 AM

have you considered installing Slackware-14.0 with vbatts' stuff?

http://www.slackware.com/~vbatts/pam/

Didier Spaier 01-27-2014 04:34 AM

And you could have a look to:
How can I authenticate a Slackware client against an LDAP server without PAM?

acid_kewpie 01-27-2014 04:42 AM

Quote:

Originally Posted by Didier Spaier (Post 5105977)

But that isn't doing any **AUTHENTICATION** against LDAP at all, merely user info. You'd still need a passwd / shadow entry on every box.

kikinovak 01-27-2014 05:18 AM

Quote:

Originally Posted by Didier Spaier (Post 5105977)

As far as I can tell, this is just false information.

kikinovak 01-27-2014 05:21 AM

Quote:

Originally Posted by ponce (Post 5105970)
have you considered installing Slackware-14.0 with vbatts' stuff?

http://www.slackware.com/~vbatts/pam/

I know that page, but as far as I can tell, the stuff is only available for -current. There's no information about the Slackware version, e. g. 13.37, 14.0, 14.1. Of course I could try and figure this all out by myself, but in that case, this is clearly the distributor's job.

Alien Bob 01-27-2014 06:11 AM

Quote:

Originally Posted by kikinovak (Post 5106009)
I know that page, but as far as I can tell, the stuff is only available for -current. There's no information about the Slackware version, e. g. 13.37, 14.0, 14.1.

The last update there was in August 2012, so it has never been tried on Slackware 14.1.

Quote:

Of course I could try and figure this all out by myself, but in that case, this is clearly the distributor's job.
Vincent's files are a voluntary effort, he was not paid or asked to produce this. This collection of sources, diffs and packages must be seen "as is" because it is not going to be part of the Slackware distribution any time soon. I estimate that it should be feasible to update the sources to match Slackware 14.1 but this is of course a different kind of enhancement than adding a MLED layer on top of Slackware - you are effectively changing the way your Slackware computers deal with user authentication. If you apply this to a stable Slackware release, the maintenance effort of adding PAM should be minimal but not zero (for instance you would have to recompile an openssl package if Slackare released a vulnerability fix in /patches).

Eric

ponce 01-27-2014 06:13 AM

some clarifications:
- being it updated on 29 sep 2012, it's updated at Slackware 14.0 (released on 26 sep 2012);
- AFAIK, as long as it doesn't get officially in Slackware it's testing stuff (as written on the page), so use it at your own risk.

I suggested that because I thought you will be able to support it yourself (you can also see what's changed and rebuild 14.1 packages), but if I have misunderstood and you're looking for an official PAM supported distribution with all the bells and whistles maybe you're better off with something else.

EDIT: Eric beated me (and actually answered better)!

bartgymnast 01-27-2014 06:21 AM

@kikinovak

You can take a look at my slackbuilds (build for 14.1)

http://slackware.omgwtfroflol.com/slackbuilds/source/

Richard Cranium 01-27-2014 09:26 AM

Quote:

Originally Posted by acid_kewpie (Post 5105982)
But that isn't doing any **AUTHENTICATION** against LDAP at all, merely user info. You'd still need a passwd / shadow entry on every box.

You don't need such a thing for NIS, so I'd be surprised that you would for ldap.

Ser Olmy 01-27-2014 09:39 AM

Quote:

Originally Posted by Richard Cranium (Post 5106125)
You don't need such a thing for NIS, so I'd be surprised that you would for ldap.

NIS distributes Unix user and group database files (/etc/passwd, /etc/group, /etc/shadow, /etc/gshadow) across all systems. OpenLDAP is a centralized system and doesn't touch any of these files. To locate a user or group object or authenticate a user, one must query the LDAP service.

Not only do you have to alter the way every program in the "shadow" suite works, you also have to provide new NSS libraries. PAM does all that and more.

Ser Olmy 01-27-2014 09:52 AM

Quote:

Originally Posted by kikinovak (Post 5106007)
As far as I can tell, this is just false information.

It seems he got as far as the NSS libraries, but no further. I don't see how one could ever progress beyond that without PAM.

I have some PAM scripts for Slackware if you're interested. I have one for PAM itself + cracklib, one for the shadow suite, one for OpenSSH and one for Samba. They all attempt to check for the latest versions (for the Slackware packages that means checking for a later version in patches/source) before downloading, compiling and installing.

I haven't gotten as far as creating proper .txz packages for Linux-PAM and cracklib, so the scripts simply compile and install those directly from source.

Richard Cranium 01-27-2014 10:18 AM

Quote:

Originally Posted by Ser Olmy (Post 5106137)
NIS distributes Unix user and group database files (/etc/passwd, /etc/group, /etc/shadow, /etc/gshadow) across all systems.

Please explain. I believe this is incorrect, but perhaps I am misunderstanding what you meant by the above.

BratPit 01-27-2014 10:19 AM

Maybe kerberos way for authenticate users from LDAP???

http://canich.net/slackware/krb5.html

Ser Olmy 01-27-2014 10:28 AM

Quote:

Originally Posted by BratPit (Post 5106156)
Maybe kerberos way for authenticate users from LDAP???

http://canich.net/slackware/krb5.html

Huh? Are you suggesting somehow using OpenLDAP as a backend for Kerberos? It that even possible? I don't think so.
Also, that document has several issues:
  • It does not patch or alter the shadow suite, only OpenSSH. None of the shadow applications (login et al) will know anything about Kerberos.
  • User account integration is non-existent. I quote: "Note: the principal must be associated with an account on the system, either in the local passwd database or via a network system such as NIS or LDAP." In other words, a nonsensical solution that requires all accounts to be created in two separate user databases manually.
  • The document suggests installing MIT Kerberos, which is probably a bad idea, as that is likely to break Samba 4. Heimdal is not only more or less the de facto standard on Linux, it also contains significantly better functionality.


All times are GMT -5. The time now is 02:22 AM.