[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldap] NIS, DCE and /etc/passwd replacement
- To: openldap-general@OpenLDAP.org
- Subject: Re: [ldap] NIS, DCE and /etc/passwd replacement
- From: gerard@teigetje.hku.nl (Gerard Ranke)
- Date: Fri, 26 May 2000 17:41:42 +0000
- In-reply-to: Mike Douglass <douglm@rpi.edu> "[ldap] NIS, DCE and /etc/passwd replacement" (May 26, 10:58am)
- References: <LYR46959-85528-2000.05.26-10.56.46--gerard#teigetje.hku.nl@listserver.itd.umich.edu>
On May 26, 10:58am, Mike Douglass wrote:
> Subject: [ldap] NIS, DCE and /etc/passwd replacement
> Currently we are using all of the above on AIX, Solaris, linux and Irix and
> would like to replace all methods with ldap. As a complication we also need
> AFS authentication to take place (I know that's nothing to do with ldap but
> some of the solutions may assume a local file system)
>
> Ideally, the authentication mechanism should make an anonymous connection
> to the ldap server (after all, /etc/passwd is world readable anyway).
>
> We're about to try reconfiguring some sgi machines but I haven't been able
> to find appropriate schema definitions. Has anybody done any or all of the
> above?
> Mike Douglass douglm@rpi.edu
>-- End of excerpt from Mike Douglass
I'm currently setting up a directory server to replace passwd and shadow files
on IRIX. For the password file this is rather straigthforward: The objectclass
posixaccount has all the attributes needed. I only ran into a spot of trouble
with the shadow passwords. I can configure Irix' nsd so that shadow passwords
are lookup up through ldap. Nsd's 'filesystem' even has 0600 permissions for
the shadow map, as you would like. Then I configured the acl's on the directory
to prevent the shadow passwords from being world-readable via the directory.
This had the interesting effect of everybody being able to login to any account
served up by the directory without even being asked for a password! Some
debugging learned that nsd's bind failed, so that the query for a shadow
password was being done as an anonymous user who of course had no permissions
to read it, and an empty string was returned. Unfortunately, an empty string
means 'no password' to login... I believe that the bind failed because nsd does
an ldap v3 bind which is not ( yet ) understood by OpenLDAP. So now I'm
configuring the IPlanet server to see if that will serve us better.
Gerard Ranke
network administrator
Utrecht School of Arts
--