|
Quote:
My knowledge of NIS is limited, as I've found little use for it. Most of what I've learned about the inner workings of NIS, I got from the FreeBSD handbook. |
Quote:
I don't see why nss_ldap would be unable to provide the same service that either nss_nis or nss_nisplus do. |
Quote:
This really piqued my curiousity, so I went to the Linux Documentation Project site and found this page. In section 7.6 they recommend putting the password in /etc/passwd for NIS users. Does that not imply that NIS uses and alters this file? I'm not saying you're mistaken, but could there be different implementaions of NIS? Because it really, really looks like the ypclient daemon relies on /etc/passwd. (I'm now in the process of installing two virtual servers to find out exactly how NIS works. I obviously should have done so years ago, thanks for the push! :)) Quote:
|
Quote:
http://docs.slackware.com/howtos:net...aming_profiles |
There certainly are different versions of NIS / NIS+ / YP. There's three for a start.
They don't modify the actual files, they store a cache, but fundamentally the passwords (when used for authentication) are available as hashes on the client in question, often ripe for hash dictionary attacks etc. Unlike LDAP which uses the password to access a remote service (binding to the LDAP server), and access to that service proves the password was correct. |
Quote:
It was that last part that really had me confused; how could the programs in the shadow suite possibly be using an alternate authentication mechanism, when no such support was compiled into the executables? After all, PAM authentication only works after you've recompiled the applications in question to include PAM support. The answer is as simple as it is obvious (in retrospect, anyway): The NIS hooks exist in glibc itself. |
Quote:
The only issues I ran into while following those instructions, were:
|
I could negotiate a delay of about a month until I have to decide what system I am going to use for this migration. I'd *really* *really* like to use Slackware for that. I'm feeling somewhere between mildly adventurous and slightly panicked at the prospect of configuring your average Slackware desktop for use in a corporate environment with LDAP authentication. At least, I'd like to give it a serious try.
Maybe some folks are interested in having such a solution? So why not join our efforts? I'm using this detailed and excellent blog article as a starting point. I guess it's currently the best available documentation on the subject: http://karellen.blogspot.fr/2011/11/...are-linux.html User management should be possible for the clients (meaning: a school director should be able to add or delete users with some graphical application). I thought about integrating this tool: https://www.ldap-account-manager.org/lamcms/ If you know something better and/or more appropriate, let me know here. I'm writing SlackBuilds for all the stuff that has to be rebuilt. They're currently available in my Git repo: # git clone https://github.com/kikinovak/slackware Take a peek in the testing/ directory. I'm also taking (laconic) notes in the Linux-HOWTOs/LDAP-HOWTO.txt file. I plan to elaborate this in the future, but for the moment, this is one big terra incognita, and I'm out there fighting the darkness with a bush knife. I'll keep you posted. |
I can't offer any insights on OpenLDAP, but I can say that in my experience, adding PAM to Slackware is a painless experience.
Mind you, I mostly use a small subset of the packages in Slackware, and there may very well be other packages (Apache?) besides shadow, OpenSSH and Samba that would need rebuilding in order to work properly with PAM. (I may have to look into OpenLDAP soon, though, as work is underway to support the use of OpenLDAP as a backend for Samba 4.) |
I wonder if this is the solution to my problem. Unfortunately the available documentation is sparse:
http://arthurdejong.org/nss-pam-ldapd/ What's the Unix admin guru's opinion on this? |
Quote:
I looked into this some years back and this site seemed to have a fair amount of useful documentation. How much use it is now, though, I'm not sure: http://www.bayour.com/LDAPv3-HOWTO.html |
For fun I decided to get my vbox 14.1 x64 install authenticating against ADS via pam_winbind yesterday, finished up today.
Its not too terrible, and once, you've built the packages and baseline confs out you could rig them into your installer. You would have to rebuild a few packages occasionally when they got updates though. I suppose if you were pulling updates from a local mirror you could just rebuild them and replace the packages in the mirror before updating clients or some such. Anyways heres the rough stream of consciousness notes on what was involved, this was on a vbox install so I just took a snapshot before hand, backup before you do anything that could lock you out of your machine, this isn't a thorough guide and I haven't tested it extensively so you take your fate into your own hands if you want to do it,etc etc , just what worked for me in case it helps anyone out getting through some of the little things that crop up: Code:
You can restrict via ad/ldap group with options in the various pam files I believe. This was the first time I've done this and a lot of steps could be combined and automated to simplify the process. And as Ser Olmy said , if there are other services that need to authenticate against PAM then you might have more rebuilding in there. Not too bad to get basic authentication and samba services up though, and good way to learn how some of these pieces fit together :) Edit: Oh yeah, you'll probably want to rebuild sudo with pam enabled as well |
Have you considered Samba and nss winbindd? I know not exactly the most UNIXy thing to do but a rebuild of the samba, and openldap after installing the MIT kerberos package worked great on 14.0 joining an active directory domain as a member server; with pretty complete AAA integration with the domain.
The MIT kerberos package also contains a kerberized login program which you can use instead of /bin/login; works great on the console though I don't know what you would do for X11 based logins. winbindd takes care of all your group memberships. I can vouch for this setup working well on Slackware 14.0 with the versions of Samba, and openldap that shipped with that release. I have a number of Slackware member servers doing various things in our corporate AD environment. I don't see why it would not work with a Samba server acting as the domain controller. The problems really are X11 greeters and having and as others have pointed out MIT Kerberos package does not seem to be the direction the Linux world is moving it. |
I'd be very interested if you've finally succeeded to set LDAP-based authentication without PAM.
About 4-5 yerars ago my collegue played with openldap services incl. authentication with Slackware in a heterogenous Win/Lin network. If I remember correctly NSS module from PADL sw. company was used. I've sent an email with that question and link to this forum. Hope he'll share his experience and knowledge. |
Quote:
The other posts on that thread are also informative. But there are two issues:
AFAICT the two issues above can easily be resolved by installing pam - the pam_mkhomedir module will automatically create a home directory if it doesn't exist. On a small network with only a few users and a few computers the above two issues are not really an issue, I would say. On a bigger network, I would install pam. |
| All times are GMT -5. The time now is 09:00 AM. |