Hi, thanks for the replies. I apologize beforehand -- the threading on this topic will be messed up because I'm composing a new message, since I'm only subscribed to the digest version of the list.
On Thu, 2005-07-21, Benjamin Smee wrote: > On Wed, 2005-07-20 at 00:31 -0700, Bill Johnstone wrote: > Well by putting your accounts into LDAP you really should be using > LDAP management tools to manage it. Well, LDAP-aware ones, anyway. An LDAP-aware adduser type program for example, which would prompt for the password associated with whatever dn the admin was trying to connect with. However, users should be able to do things like chsh and passwd without any knowledge of LDAP. And in fact, with pam_ldap, they can at least change their own passwords using plain ol' "passwd" from the shadow suite. >> I've noticed that typical programs such as chsh or chfn have PAM >> config files -- can PAM tricks be used to make them work with the >> fields accessible via nss_ldap? > They can be but personally I would recommend against it. The reason > for this is that in order to do so you have to setup a user that can > write to any of your users attributes (ie in effect a root style user) > and store that password in a file on the system. The security > implications of that bother me so personally I don't empower the old > style unix command line tools to do things like write back to the DIT > in that fashion. I don't see why this needs to be the case. Sure, you need a rootdn to initially populate the directory, but after that, it's easy to use ACLs to give each user write capability to his own user attributes, such as "loginShell". Moreover, it is possible to add a specific user to the directory who has write access to the the subtree under the ou (via ACLs again), and have that password stored within the directory db, just like all the other users have their passwords stored. This eliminates the need to have a "rootpw" stored within the slapd.conf , and due to the ACLs, makes it easier to restrict the ability of the administrative user and keep him from damaging the whole directory. >> Also, there do seem to be packages listed in the database, such as >> "cpu" and "diradm" that augment or replace the standard shadow suite >> to deal with the data via LDAP. However, none of these are marked as >> available on amd64. Why is that, and is there any way I can request >> or help with the packages being made available and tested on amd64? > They are all LDAP management tools NOT replacements for unix commands. They are LDAP-aware replacements for the unix commands from the shadow suite, or can be treated as such. pwdutils is another such LDAP-aware shadow suite replacement, which actually replaces commands such as "passwd" and "chsh", though its documentation leaves something to be desired. There is no ebuild at all for pwdutils, though. > As to why they are not available on amd64 can't help there sorry. Is there an individual or dev group within gentoo that I should try to contact? robbat2 <at> gentoo . org seems to be involved with both the openldap ebuild, as well as diradm ... __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- [email protected] mailing list
