On Wednesday 28 March 2007 11:45, Mike Erdely wrote:
> Joachim Schipper wrote:
> > On Tue, Mar 27, 2007 at 04:49:05PM -0400, Mike Erdely wrote:
> >> I'm trying to get login_ldap to work with cvs pserver (run out of
> >> inetd).
> >
> > I think you are misunderstanding some things, or doing something
> > that doesn't work; however, since I've never tried to set up a
> > pserver, you'd best check what I'm going to say next.
>
> I tried to give as much info as I could...
>
> > First, read login.conf(5), and note that just adding the above
> > isn't going to help any. You must define a new login class, at
> > least, and change master.passwd(5) to make sure the appropriate
> > user has your newly defined login class (the value of 'appropriate'
> > depends on whether or not the stuff below is correct...).
>
> I did read login.conf(5) and I must have missed something. But, I
> think you're not understanding how this stuff works:
> 1. I installed the login_ldap package.
> 2. I added a ldap section to login.conf
> 3. I configured my users to be part of the ldap class (using vipw).
> Users have no local password set.
> 4. I tested using CVS over SSH and it works as expected.
> 5. I tried using pserver and cannot authenticate.
> 6. I set a local password that is different from my ldap password
> (ssh still uses ldap. sudo still uses ldap).
> 7. I tried pserver and was able to authenticate with the local
> password but not ldap's password.
I use login_ldap but don't have any experience with cvs pserver. Just in
case it has any relevance or triggers some other solution . . .
1) Are you using LDAPv2 or LDAPv3? If you are using v3, you may want to
try v2.
2) What does /var/log/ldap.log say about authentication attempts?
Vijay
>
> I had previously had a similar problem with ftp until I made this
> change to login.conf:
> - auth-ftp-defaults:auth-ftp=password:
>
> + auth-ftp-defaults:auth-ftp=-ldap:
> > Then, you should have whatever daemon your users use to connect
> > with the usual BSD login mechanism (which might be called bsdauth,
> > or whatever). I don't believe GNU CVS does that, and OpenCVS
> > doesn't do authentication at all. Your best bet is probably setting
> > up ssh; sshd uses the BSD authentication routines by default.
>
> You would think that the daemon would use "the usual BSD login
> mechanism" but ftpd doesn't. And pserver running out of inetd
> doesn't either. I don't know if the fact that I'm using inetd for
> pserver has any bearing on this issue, but I thought giving all
> information would be helpful.
>
> I know my "best bet" is using ssh. I'd much rather use ssh. But you
> can't always do what you want. Some of my 50 developers are using
> COTS development tools that ONLY know pserver. They don't like it
> either, but it's required for the project they're working on. So,
> while pserver sucks, it's necessary in this case.
>
> > However, unless I am sorely mistaken, by this point, there's no
> > need to set up inetd and what you have is a CVS repository, but
> > *not* a pserver.
>
> What I've decided to do since I can't make this work ('cause I'm an
> idiot) and pserver is insecure and sucks, I'm going to set local
> passwords for users that require pserver that are different from
> their LDAP password. That way, their LDAP password won't go in the
> clear.
>
> Thanks for you input.
> -ME
>
>
> !DSPAM:1,460aa359109502517112723!
--
Vijay Sankar
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: +1 (204) 885-9535, E-Mail: [EMAIL PROTECTED]
