>From: "John Powell" <[EMAIL PROTECTED]>
> There are 2 approaches I can think of:
>
> - Convert SME to authenticating off of the LDAP. Lots of hacking
> necessary here, probably a dead-end, especially if Mitel is not on
> board with this as a base function of the product (and I would not
> particularly blame them).
This part might not be as hard as you think since everything based
on RedHat should already be already be using PAM authentication
(samba might be an exception) so a single change should accomplish
it. Samba 2.2.2 includes code to use LDAP authentication and a
sample schema but I'm not sure how the samba account is suppose
to relate to the usual LDAP entries when it represents the same user.
> - Having SME remain /etc/passwd based, but duplicating the auth info
> in LDAP. Much easier to do without major slashing and burning on SME,
> but still no walk in the park. SME rebuilds the LDAP database on
> many, many events (such as a reboot), and passwords are not kept in
> the accounts db where they are super-simple to get at. I guess I
> could pull them out of the shadow file. Obviously keeping this
> super-secure is also a major priority, which is not as big an issue
> with just phone numbers, etc.
The LDAP server already has security concepts, but it would need to
maintain both the unix password and the samba versions.
> This is kind of a low/medium priority for me, more of a science
> experiment. If anyone else is interested, I would be glad to help out
> with knowledge on how LDAP is currently maintained in SME, testing ,
> etc. Otherwise it is probably not going to be real soon that I will
> get around to it.
I think Ganymede has the right idea in storing a 'master' database unrelated
to any individual machine/OS and using scripts to push out updates to
the real systems, but that is overkill for one or two machines and the
database could be in LDAP instead of the home-grown version used
in Ganymede. Maybe the scripts used in Ganymede could be adapted
to push changes from one SME server to others. The LDAP update
claims to be incremental and thus more efficient than a complete rebuild
for each change.
Les Mikesell
[EMAIL PROTECTED]
--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
