[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP/mail interaction
On Wed, 14 Jul 1999, Jeff Clowser wrote:
> Second is that the side effect of this would be that users could also
> log into the machine, ftp to it, etc - they could use whatever other
> user based services are on that box, which could be bad.
Argh.. hit send too quickly. You can "play games" to have the users "exist"
(for services like email - Sendmail, etc.) on the Unix machine (ie., they
still must have UIDs and such) without actually letting them login (so
home directories may not exist, or something).
For example - PAM-based systems can selectively use (or not) the remote
directory service (LDAP) on an application-by-application basis; things like
FTP and TELNET could be told to only use the local /etc/passwd files, whilst
POP daemons would use /etc/passwd files and a remote LDAP service (thus,
LDAP-only users could login to check mail, but couldn't FTP or TELNET into the
machine).
> There are ways to tighten this down, but it starts to get very complicated.
Depends on the solution (of course); the PAM example above is pretty simple.
Cheers..
dave