LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   PAM adduser? (https://www.linuxquestions.org/questions/linux-security-4/pam-adduser-770333/)

icga 11-19-2009 07:31 PM
PAM adduser?
 
I am trying to implement a centralized user system where all the users and passwords are stored on a centralized system. My first instinct was to use radius, since we already have that going for a number of different services. However after reading up on pam_radius, it appears that you must first create the user locally on each system and all pam_radius does is act as a central password repository.

Is this true, and if so, is there any system out there that does not require you to create the user locally first?

Thanks!

jhwilliams 11-19-2009 07:37 PM
PAM is a localhost kind of ballgame. People seem to like and use LDAP authentication well enough these days. It depends largely on the deployment and interface of the "centralized user system" you're designing. Heck, some people like to stuff user auth data in a MySQL database and auth it with a PHP form.

Jim Bengtson 11-19-2009 09:54 PM
Quote:
Originally Posted by icga (Post 3763322)
I am trying to implement a centralized user system where all the users and passwords are stored on a centralized system. My first instinct was to use radius, since we already have that going for a number of different services. However after reading up on pam_radius, it appears that you must first create the user locally on each system and all pam_radius does is act as a central password repository.

Is this true, and if so, is there any system out there that does not require you to create the user locally first?

Thanks!
You can use an LDAP directory to centralize your usernames, passwords, etc., and use PAM modules to integrate PAM on each of your computers to this centralized LDAP directory.

This will get you started, but there's lots more reading to do:
http://ldots.org/ldap

Jim Bengtson 11-19-2009 10:26 PM
I've just ordered a book that looks good...you might want to check it out too.

Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers: A comprehensive and practical guide to PAM for Linux: how modules work and how to implement them
https://www.amazon.com/gp/product/19...ss_T15_product

And, of course:

LDAP System Administration
http://www.amazon.com/LDAP-System-Ad...ref=pd_sim_b_2

chiragrk 11-19-2009 10:57 PM
Quote:
Originally Posted by Jim Bengtson (Post 3763412)
You can use an LDAP directory to centralize your usernames, passwords, etc., and use PAM modules to integrate PAM on each of your computers to this centralized LDAP directory.

This will get you started, but there's lots more reading to do:
http://ldots.org/ldap
You should use a centralized LDAP - However I wont recommend all systems having to lookup to this centralized LDAP all the time - especially if your servers are connected via WAN links because
1) Response times will be high
2) In case centralized LDAP fails you're in for trouble.

I would recommend that you use centralized LDAP for user management and then have this LDAP data replicated across all the other servers. OpenLDAP does support master/slave modes. The same can be accomplished using MySQL master-slave mode.

icga 11-21-2009 03:01 PM
So by using LDAP, the local users are dynamically added and deleted as the user logs into and logs out of the server?

Is it possible to do this with pam_radius?

slimm609 11-21-2009 06:25 PM
Quote:
Originally Posted by chiragrk (Post 3763452)
I would recommend that you use centralized LDAP for user management and then have this LDAP data replicated across all the other servers. OpenLDAP does support master/slave modes. The same can be accomplished using MySQL master-slave mode.
Why would you ever replicate the LDAP information across all other servers? That kinda defeats the purpose of LDAP and also becomes a huge pain to manage and troubleshoot.


OP. LDAP is the way you want to go pam_radius can work with ldap but there is a ldap module for pam and should use that. If you have a large environment look into LDAP multi-master and just set up like 2-3 LDAP servers.

chiragrk 11-21-2009 11:20 PM
Quote:
Originally Posted by slimm609 (Post 3765273)
Why would you ever replicate the LDAP information across all other servers? That kinda defeats the purpose of LDAP and also becomes a huge pain to manage and troubleshoot.
Thats how you ensure a single server isn't loaded with all the LDAP queries, make it scalable. Never had _huge_ pain to troubleshoot such replicated LDAP directories, little bit painful, but what isn't?

slimm609 11-22-2009 12:23 AM
Quote:
Originally Posted by chiragrk (Post 3765390)
Thats how you ensure a single server isn't loaded with all the LDAP queries, make it scalable. Never had _huge_ pain to troubleshoot such replicated LDAP directories, little bit painful, but what isn't?
Replicating to ALL servers or all LDAP slaves?


All times are GMT -5. The time now is 08:40 PM.