[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSL connection to LDAP server



On Tue, 7 Sep 1999, Richard Ellerbrock wrote:

> >I'm very interested in how you have setup your Linux/Novell setup, and what
> >you're now capable of achieving - i.e. can you now authenticate users
> >to the linux box from the novell nds?
> 
> No, not yet. This is something that I want to play around with.

Whilst not specifically using Linux, the project mentioned within this post:

  http://www.openldap.org/lists/openldap-general/9908/msg00051.html

has succeeded in using LDAP to authenticate users to NDS from a UNIX system
(Solaris in this case, but the same solutions/technologies should work on
modern Linux systems).

I'd appreciate feedback for expanding the documentation/explanations contained
therein.

> LDAP is not really meant for authentication as the name suggests
> (LightWeight Directory Access Protocol).

Maybe so, but logically it makes sense to utilise a single directory/source
for authentication data rather than building synchronisation systems
everywhere just for duplicating data.

> >Can you authenticate them when they pop/imap to the linux box, off the
> >novell server?
> 
> No.

The above project can.  :-)

> What you could do is use the NDS directory as a store for your information
> and then copy it onto your Unix machine at regular intervals by querying the
> NDS.

This is just synchronisation, in which case you might as well run NDS' native
protocols to do the same thing (does Caldera's software permit replicating the
native NDS database directly to Linux?).

Replacing the PAM and NSS backends with LDAP lookups to an NDS box, you don't
need synchronisation - the lookups/authentication work directly against the
NDS.

> The only problem is passwords.

NDS doesn't store the current password in its schema (it does store previously
used passwords, though);  it uses public keys.  For this reason, the LDAP
front-end "fakes" the "userPassword" attribute (not always in logical or
completely compatible ways).

For example, you have to use clear-text passwords (encrypt the LDAP session
using SSL);  also if a user wants to change their own password, you have to be
running NDS 8 SP 1 and can't just replace/modify the "userPassword" attribute
(Novell TIDs documente how to change the password).

> You are probably better off using Radius for this task. There is a Radius
> gateway into NDS that we use to authenticate dial-up users directly into the
> NDS.

Change Linux apps to use PAM, then install a PAM back-end that uses RADIUS to
authenticate against the NDS box - yeah, I guess that could work too.

> >Can you now use your novell server's nds as your central Directory?
> 
> Yes. This is my ultimate goal. At the end of the day I want to be able to
> bring all my "directories" (OS/390, Radius, Oracle, Unix NIS etc) into the
> NDS.

In our case we're using NDS as the implementation/repository, but it's being
treated as though it was just another LDAP server;  the idea being that in
future we don't have to be tied to NDS if we want to move elsewhere.

Cheers..


dave