[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP/mail interaction



On Wed, 14 Jul 1999, Jeff Clowser wrote:

> Second is that the side effect of this would be that users could also
> log into the machine, ftp to it, etc - they could use whatever other
> user based services are on that box, which could be bad.

Argh.. hit send too quickly.  You can "play games" to have the users "exist"
(for services like email - Sendmail, etc.) on the Unix machine (ie., they
still must have UIDs and such) without actually letting them login (so
home directories may not exist, or something).

For example - PAM-based systems can selectively use (or not) the remote
directory service (LDAP) on an application-by-application basis;  things like
FTP and TELNET could be told to only use the local /etc/passwd files, whilst
POP daemons would use /etc/passwd files and a remote LDAP service (thus,
LDAP-only users could login to check mail, but couldn't FTP or TELNET into the
machine).

> There are ways to tighten this down, but it starts to get very complicated.

Depends on the solution (of course);  the PAM example above is pretty simple.

Cheers..


dave