login_ldap - Ready for primetime?

Contributed by jose on 2003-03-11 from the ldap-authentication dept.

Bards writes:

"Given that LDAP is becoming the 'de facto' standard for many things, including authentication, does anyone know if there are any plans for the inclusion of login_ldap (or equivalent) in a future release of our favourite OS?"

Actually, as of two weeks ago there is a port of login_ldap which works with the BSD auth system. While not quite ready for "prime time" in the base system, it's easy to incorporate it now with a port. Any initial reports of how well this works?

(Comments are closed)

Comments

By Anonymous Coward () on 2003-03-11 15:58

it requires openldap.
Comments
1. By Anonymous Coward () on 2003-03-11 18:25
  
  http://fefe.de/tinyldap/ would be nice. Help finish it, so we can stop using BloatLDAP.
  Comments
  1. By Anonymous Coward () on 2003-03-11 22:43
    
    It only works Linux and the either is not thinking of supporting it to OpenBSD. He doesn't like OpenBSD. So you're on your own...
    
    Comments
    
    By Anonymous Coward () on 2003-03-12 03:10
    
    FUD. It's developed on Linux. It will work everywhere.
    
    Comments
    
    By Anonymous Coward () on 2003-03-12 13:59
    
    nope
  2. By Brad () brad@comstyle.com on 2003-03-12 12:21 mailto:brad@comstyle.com
    
    This is useless, we need a client library implementation NOT a server implementation.
    
    Comments
    
    By Anonymous Coward () on 2003-03-12 03:11
    
    FUD. TinyLDAP is both.
By Dave Terrell () dbt@meat.net on 2003-03-11 16:11 mailto:dbt@meat.net

... without extensions to getpw* to return user and group ids out of ldap (nsswitch.conf style).
Comments
1. By Jedi/Sector One () j@pureftpd.org on 2003-03-11 16:39 http://www.pureftpd.org/
  
  +1
  
  nss support would rock.
  Comments
  1. By Anonymous Coward () on 2003-03-11 18:22
    
    NSS WOULD SUCK. It's a Nightmare no better than PAM.
    
    A sound alternative to NSS would be nice though.
    
    Comments
    
    By Jedi/Sector One () j@pureftpd.org on 2003-03-11 20:40 http://www.pureftpd.org/
    
    In 2 minutes with NSS, I can have *all* my existing applications use any user database, including a Windows PDC, an LDAP directory, an SQL database or even a custom backend.
    
    No need to recompile/reinstall/reconfigure anything.
    
    How is it a nightmare ?
    
    PAM is a nightmare (because it only authenticates, it doesn't fetch users/groups/hosts).
    But NSS is definitely something great.
    
    Comments
    
    By Anonymous Coward () on 2003-03-11 23:21
    
    the problem i see with nss is its a very big commitment for an os to make, and its not clear that its the 'best' solution.
    
    what would be good is some way to use the existing yp stuff to provide generic name based resolutions as an extension/brother of bsd auth. i had a brief look the other day at this, but i dont think its possible without turning into some ungodly hack.
    
    Comments
    
    By Peter Werner () on 2003-03-11 23:34
    
    oh and just cause it may be of interest, the company i was working for when i wrote login_ldap basically wanted all its unix machines to be able to auth of an ldap server, which meant openbsd wasnt an option. it was mainly written so an organisation that uses ldap everywhere else for authentication can sill use openbsd on firewalls/whatever and the admins can still log in.
    
    after looking at it, im lukewarm at best towards nss, i just think ldap is pretty neat.
    
    By DeadManMoving () sequel@neofreak.org on 2003-03-12 01:20 www.neofreak.org
    
    Have a look at this :
    http://www.radux.com/ypAnything/
    
    By Anonymous Coward () on 2003-03-12 03:13
    
    Because it's not much less complex and ugly than PAM.
    
    By ikbenjarig () on 2003-03-11 22:42
    
    Your arguments for your statements suck. You merely make statements, but don't even take the time to 'proof' or 'support' them. I'd say: post arguments and contribute to the subject or just read and stfu.
2. By gk () on 2003-03-11 17:14
  
  http://www.padl.com/OSS/nss_ldap.html
  
  Supposed to have been working on fbsd.
  Comments
  1. By Anonymous Coward () on 2003-03-11 17:31
    
    FreeBSD uses PAM, not BSD_auth.
    
    Comments
    
    By Jedi/Sector One () j@pureftpd.org on 2003-03-11 20:41 http://www.pureftpd.org/
    
    NSS is not PAM, don't mess everything.
    
    But yes, padl.org has both a PAM-LDAP handler and an NSS-LDAP handler.
  2. By Anonymous Coward () on 2003-03-11 21:42
    
    you still need the os to support nss (ie in the libraries)
3. By CPU () anon@none.com on 2003-03-12 16:15 http://cpu.sf.net
  
  There is an application called CPU that I use for dealing with users and groups on an ldap backend. It runs on OpenBSD, and allows you to display users and groups in an /etc/group|/etc/passwd style format. Wouldn't it be easy enough to use a named pipe? This isn't exactly rocket science.
By robert lessard () on 2003-03-11 19:35

ldap would provide a mean of authentication. I'm not sure it would be any better than heimdal when it gets working better.

On the other hand, and please help me out if I am wrong, but authorizations are no different. So, with that said, it seems to me that local file security issues are still there and replication of password files is still required for resource access.

ldap makes replication easier with its master/slave and logging capabilities but it seems that our scalability is limited in a heterogeneous enviroment by acl support.
Comments
1. By Anonymous Coward () on 2003-03-11 21:01
  
  Is it not possible for LDAP to maintain user/group data with Kerberos as authentication/encryption support? Why would this not scale?
  Comments
  1. By robert lessard () on 2003-03-11 22:38
    
    read my post again- I am talking about authorization, not authentication. Whether you use kerberos, ldap, or whatever you want, acls cannot be put in place that authorize access to files accross a heterogeneous (including smb shares) network without a local account and password file. Otherwise, obsd would have no samba pam/nss issues to worry about.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (9)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (2)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]