[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: unified login (unix + windows)
Hi,
To just check passwords you only need pam_ldap.
The login process trhough this library is basically two step:
1-search the uid in the ldap-server and get the corresponding user-dn
2-try to bind into the ldap server using the user-dn and the password
entered along with the username, if bind is succesfull unix-login is
granted, otherwise rejected
You can perform the above search operation anonymously or using a
ldap-user, the last is my choice because I do not have to give search
permission to everyone.
Using only pam_ldap, requires you to have the users in /etc/passwd but
not their passwords (asuming you are not using /etc/shadow, if so then
they have to exist in /etc/passwd but not in /etc/shadow), because you
need to know what are your users' shell, home directory and so, if you
want to store all that information in the ldap server then you need
nss_ldap.
Salvador Salanova Fortmann
> How do the pam_ldap and nss_ldap check the password. Do they request
a copy of the password, or attempt a login into LDAP?
> Albert Steiner
> At 11:17 AM 6/15/00 +0000, salvador.salanova@pas.udg.es wrote:
> >Hi,
> >>It is a dream of mine to have all passwords and users
> >>in one Ldap-Server.
> >
> >This is a small university, and the approach that I am using is as
> >follows:
> >
> >-ldap server:
> > stores the user database
> >
> >-unix stations (Solaris and Linux):
> > use pam_ldap and nss_ldap against ldap server
> >
> >-winnt classrooms:
> > today all users share the same username (generic one), we are
> >writting a replacement gina wich first checks the user against ldap
> >server and after that logs the user in the ntworkstation using the
> >generic username and password hardcoded into the gina. This is not
> >finished yet.
> >
> >Hope this helps.
> >
> >Salvador Salanova Fortmann
> >