[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP/mail interaction

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: LDAP/mail interaction
From: David J N Begley <david@avarice.nepean.uws.edu.au>
Date: Thu, 15 Jul 1999 20:59:55 +1000 (EST)
In-reply-to: <378CB426.75262EB4@aerotek.com>

On Wed, 14 Jul 1999, Jeff Clowser wrote:

> Second is that the side effect of this would be that users could also
> log into the machine, ftp to it, etc - they could use whatever other
> user based services are on that box, which could be bad.

Argh.. hit send too quickly.  You can "play games" to have the users "exist"
(for services like email - Sendmail, etc.) on the Unix machine (ie., they
still must have UIDs and such) without actually letting them login (so
home directories may not exist, or something).

For example - PAM-based systems can selectively use (or not) the remote
directory service (LDAP) on an application-by-application basis;  things like
FTP and TELNET could be told to only use the local /etc/passwd files, whilst
POP daemons would use /etc/passwd files and a remote LDAP service (thus,
LDAP-only users could login to check mail, but couldn't FTP or TELNET into the
machine).

> There are ways to tighten this down, but it starts to get very complicated.

Depends on the solution (of course);  the PAM example above is pretty simple.

Cheers..

dave

Follow-Ups:
- Re: LDAP/mail interaction
  - From: Jeff Clowser <jclowser@aerotek.com>
- Re: LDAP/mail interaction
  - From: Stuart Lynne <sl@fireplug.net>

References:
- Re: LDAP/mail interaction
  - From: Jeff Clowser <jclowser@aerotek.com>

Prev by Date: Re: LDAP/mail interaction
Next by Date: file descriptor setting
Index(es):
- Chronological
- Thread