Re: unified login (unix + windows)

[salvador.salanova@pas.udg.es]

Hi,

To just check passwords you only need pam_ldap.

The login process trhough this library is basically two step:
1-search the uid in the ldap-server and get the corresponding user-dn
2-try to bind  into the ldap server using the user-dn and the password 
entered along with the username, if bind is succesfull unix-login is 
granted, otherwise rejected

You can perform the above search operation anonymously or using a 
ldap-user, the last is my choice because I do not have to give search 
permission to everyone.

Using only pam_ldap, requires you to have the users in /etc/passwd but 
not their passwords (asuming you are not using /etc/shadow, if so then 
they have to exist in /etc/passwd but not in /etc/shadow), because you 
need to know what are your users' shell, home directory and so, if you 
want to store all that information in the ldap server then you need 
nss_ldap.

Salvador Salanova Fortmann

> How do the  pam_ldap and nss_ldap check the password.  Do they request 
a copy of the password, or attempt a login into LDAP?

> Albert Steiner

> At 11:17 AM 6/15/00 +0000, salvador.salanova@pas.udg.es wrote:
> >Hi,
> >>It is a dream of mine to have all passwords and users
> >>in one Ldap-Server.
> >
> >This is a small university, and the approach that I am using is as
> >follows:
> >
> >-ldap server:
> >     stores the user database
> >
> >-unix stations (Solaris and Linux):
> >     use pam_ldap and nss_ldap against ldap server
> >
> >-winnt classrooms:
> >     today all users share the same username (generic one), we are
> >writting a replacement gina wich first checks the  user against ldap
> >server and after that logs the user in the ntworkstation using the
> >generic username and password hardcoded into the gina. This is not
> >finished yet.
> >
> >Hope this helps.
> >
> >Salvador Salanova Fortmann
> >