[gentoo-server] LDAP authentication in pieces

[gentoo-server] LDAP authentication in pieces

[Andrew D. Fant]

Morning all,
   We have an enterprise LDAP directory hosted on SunONE Directory Services. For
various historical reasons, my Gentoo servers are not set up to get user
information from this directory, but the usernames and uids are synchronized
between the two environments (actually, we treat the directory as definitive and
just copy values to the local files when accounts are needed, but that's not
really important right now).  I have just been given a mandate that people
should be using the same passwords on these servers as they have in the
enterprise directory.  I am not in a position to move the entire environment
completely over to LDAP, as there is no mechanism to limit access to these
servers (these systems are restricted access and not open to the entire
enterprise), and the shell, group, and home directory information is divergent
from the enterprise and cannot be converted on short notice.

I know that there is an NIS emulation mode for ldap, but is there a more elegant
 way to have a local password file, where logins are checked first against the
directory, and if there is no ldap entry for the user, falling back to the local
 files?

Thanks,
	Andy

-- 
Andrew Fant           | The lion and the calf shall lie   | Disclaimer:
andrew.fant@tufts.edu | down together, but the calf won't | Do you REALLY
TCCS/USG              | get much sleep.                   | think I can
Tufts University      |                  W. Allen         | speak for Tufts?
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] LDAP authentication in pieces

[Nicolas MASSÉ]

[-- Attachment #1: Type: text/plain, Size: 872 bytes --]

On Tuesday 05 September 2006 17:35, Andrew D. Fant wrote:
> I know that there is an NIS emulation mode for ldap, but is there a more
> elegant way to have a local password file, where logins are checked first
> against the directory, and if there is no ldap entry for the user, falling
> back to the local files?

In /etc/nsswitch.conf, you can have an entry like this :

passwd:      ldap files
shadow:      ldap files
group:       ldap files

An for the accounts, in the configuration of PAM, you can have :

auth       sufficient   pam_ldap.so
auth       sufficient   pam_unix.so likeauth nullok use_first_pass

This should do what you want...

I hope it will help you !

-- 
Nicolas MASSÉ
Pour récupérer ma clef GPG:
gpg --keyserver wwwkeys.eu.pgp.net --recv-keys 0x2A18C433
Key fingerprint: 6621 FC23 5DC7 54BA B952 316A 50B1 BC3F 2A18 C433

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] LDAP authentication in pieces

[Andrew D. Fant]

rdmurray@bitdance.com wrote:
> On Tue, 5 Sep 2006 at 17:51, Nicolas MASS� wrote:
>> On Tuesday 05 September 2006 17:35, Andrew D. Fant wrote:
>>> I know that there is an NIS emulation mode for ldap, but is there a more
>>> elegant way to have a local password file, where logins are checked
>>> first
>>> against the directory, and if there is no ldap entry for the user,
>>> falling
>>> back to the local files?
>>
>> In /etc/nsswitch.conf, you can have an entry like this :
>>
>> passwd:      ldap files
>> shadow:      ldap files
>> group:       ldap files
> 
> I don't know much about this, but given Andrew's constraints and what
> the nsswitch.conf man page says I'd think he just wants:
> 
> shadow: ldap files
> 
> without the other two, since he said that he doesn't want everyone
> in the enterprise to have access to the gentoo boxes, and that the
> group structure is different.
> 

Thanks to both of you for the quick response, I'll give these a try soon and see
 how they go.  By the end of the week, I'll try for a follow up to let everyone
know how it went.

Thanks again

-- 
Andrew Fant           | The lion and the calf shall lie   | Disclaimer:
andrew.fant@tufts.edu | down together, but the calf won't | Do you REALLY
TCCS/USG              | get much sleep.                   | think I can
Tufts University      |                  W. Allen         | speak for Tufts?
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] LDAP authentication in pieces

[rdmurray]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: TEXT/PLAIN; CHARSET=X-UNKNOWN; FORMAT=flowed, Size: 853 bytes --]

On Tue, 5 Sep 2006 at 17:51, Nicolas MASSÉ wrote:
> On Tuesday 05 September 2006 17:35, Andrew D. Fant wrote:
>> I know that there is an NIS emulation mode for ldap, but is there a more
>> elegant way to have a local password file, where logins are checked first
>> against the directory, and if there is no ldap entry for the user, falling
>> back to the local files?
>
> In /etc/nsswitch.conf, you can have an entry like this :
>
> passwd:      ldap files
> shadow:      ldap files
> group:       ldap files

I don't know much about this, but given Andrew's constraints and what
the nsswitch.conf man page says I'd think he just wants:

shadow: ldap files

without the other two, since he said that he doesn't want everyone
in the enterprise to have access to the gentoo boxes, and that the
group structure is different.

--David