Joachim Schipper wrote:
On Tue, Mar 27, 2007 at 04:49:05PM -0400, Mike Erdely wrote:
I'm trying to get login_ldap to work with cvs pserver (run out of inetd).
I think you are misunderstanding some things, or doing something that
doesn't work; however, since I've never tried to set up a pserver, you'd
best check what I'm going to say next.
I tried to give as much info as I could...
First, read login.conf(5), and note that just adding the above isn't
going to help any. You must define a new login class, at least, and
change master.passwd(5) to make sure the appropriate user has your newly
defined login class (the value of 'appropriate' depends on whether or
not the stuff below is correct...).
I did read login.conf(5) and I must have missed something. But, I think
you're not understanding how this stuff works:
1. I installed the login_ldap package.
2. I added a ldap section to login.conf
3. I configured my users to be part of the ldap class (using vipw).
Users have no local password set.
4. I tested using CVS over SSH and it works as expected.
5. I tried using pserver and cannot authenticate.
6. I set a local password that is different from my ldap password (ssh
still uses ldap. sudo still uses ldap).
7. I tried pserver and was able to authenticate with the local password
but not ldap's password.
I had previously had a similar problem with ftp until I made this change
to login.conf:
- auth-ftp-defaults:auth-ftp=password:
+ auth-ftp-defaults:auth-ftp=-ldap:
Then, you should have whatever daemon your users use to connect with the
usual BSD login mechanism (which might be called bsdauth, or whatever).
I don't believe GNU CVS does that, and OpenCVS doesn't do authentication
at all. Your best bet is probably setting up ssh; sshd uses the BSD
authentication routines by default.
You would think that the daemon would use "the usual BSD login
mechanism" but ftpd doesn't. And pserver running out of inetd doesn't
either. I don't know if the fact that I'm using inetd for pserver has
any bearing on this issue, but I thought giving all information would be
helpful.
I know my "best bet" is using ssh. I'd much rather use ssh. But you
can't always do what you want. Some of my 50 developers are using COTS
development tools that ONLY know pserver. They don't like it either,
but it's required for the project they're working on. So, while pserver
sucks, it's necessary in this case.
However, unless I am sorely mistaken, by this point, there's no need to
set up inetd and what you have is a CVS repository, but *not* a pserver.
What I've decided to do since I can't make this work ('cause I'm an
idiot) and pserver is insecure and sucks, I'm going to set local
passwords for users that require pserver that are different from their
LDAP password. That way, their LDAP password won't go in the clear.
Thanks for you input.
-ME