[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP, part 2




Jeff Licquia wrote:
> 
> On Mon, May 29, 2000 at 12:02:47PM -0500, John Corey wrote:
> 
> > After someone mentioned LDAP a couple weeks ago, I finally decided to
> > also look at it.  Now, I've migrated the passwd file into my ldap server
> > and modified a couple /etc/pam.d/ files to use it on login (from the
> > example ones pam_ldap came with).  I then set it up with some differing
> > parameters between /etc/passwd and my user record in the ldap server.
> >
> > It does verify my password on login just fine, so I had my hopes up.
> > But once I log in, I am using my shell from /etc/passwd instead of
> > ldap's loginshell attribute.
> 
> First off, remember that you have to configure glibc's nsswitch
> stuff.  Install the libnss-ldap module, and configure
> /etc/nsswitch.conf to use it.  (On Debian: "apt-get install
> libnss-ldap", then edit /etc/nsswitch.conf and /etc/libnss-ldap.conf
> to taste.)

Yup, I've got that.  It was the last piece I needed to get the password
authentication working.

> > Also, there was talk about the passwd command.  As I understand it, when
> > properly set up, the pam module does the work of changing passwords.  So
> > when you tell /etc/pam.d/passwd to use the pam_ldap (or other) module,
> > that should change the password on the right service.  So one passwd
> > command can handle any number of authentication schemes.  Of course,
> > actually doing it isn't so simple.  :)  The ldappasswd command will
> > change it on the server, but not sync it with /etc/passwd.
> 
> The one thing you want to make sure of is that you're getting the
> hashing algorithm you want.  If you're not careful, you could end up
> with old-style crypt or (horrors!) plaintext passwords in LDAP.  You
> probably would rather have (s)md5 or (s)sha hashing systems.  (The "s"
> signifies "salted"; i.e. a salt value is mixed in with the password,
> just like crypt does.)
> 

With this the passwords are working A-OK.  They're using the md5 style
crypt, and I can log on fine with the password on my ldap server.  The
trouble I've run into is the periphrial settings, home dir, shell, etc.
seem to be ignored from the ldap server and pulled from the
old-fashioned /etc/passwd.  You'd think if it got the password from
there, it'd come up with the other things. :)

--
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.