On Wednesday 28 March 2007 11:45, Mike Erdely wrote: > Joachim Schipper wrote: > > On Tue, Mar 27, 2007 at 04:49:05PM -0400, Mike Erdely wrote: > >> I'm trying to get login_ldap to work with cvs pserver (run out of > >> inetd). > > > > I think you are misunderstanding some things, or doing something > > that doesn't work; however, since I've never tried to set up a > > pserver, you'd best check what I'm going to say next. > > I tried to give as much info as I could... > > > First, read login.conf(5), and note that just adding the above > > isn't going to help any. You must define a new login class, at > > least, and change master.passwd(5) to make sure the appropriate > > user has your newly defined login class (the value of 'appropriate' > > depends on whether or not the stuff below is correct...). > > I did read login.conf(5) and I must have missed something. But, I > think you're not understanding how this stuff works: > 1. I installed the login_ldap package. > 2. I added a ldap section to login.conf > 3. I configured my users to be part of the ldap class (using vipw). > Users have no local password set. > 4. I tested using CVS over SSH and it works as expected. > 5. I tried using pserver and cannot authenticate. > 6. I set a local password that is different from my ldap password > (ssh still uses ldap. sudo still uses ldap). > 7. I tried pserver and was able to authenticate with the local > password but not ldap's password.
I use login_ldap but don't have any experience with cvs pserver. Just in case it has any relevance or triggers some other solution . . . 1) Are you using LDAPv2 or LDAPv3? If you are using v3, you may want to try v2. 2) What does /var/log/ldap.log say about authentication attempts? Vijay > > I had previously had a similar problem with ftp until I made this > change to login.conf: > - auth-ftp-defaults:auth-ftp=password: > > + auth-ftp-defaults:auth-ftp=-ldap: > > Then, you should have whatever daemon your users use to connect > > with the usual BSD login mechanism (which might be called bsdauth, > > or whatever). I don't believe GNU CVS does that, and OpenCVS > > doesn't do authentication at all. Your best bet is probably setting > > up ssh; sshd uses the BSD authentication routines by default. > > You would think that the daemon would use "the usual BSD login > mechanism" but ftpd doesn't. And pserver running out of inetd > doesn't either. I don't know if the fact that I'm using inetd for > pserver has any bearing on this issue, but I thought giving all > information would be helpful. > > I know my "best bet" is using ssh. I'd much rather use ssh. But you > can't always do what you want. Some of my 50 developers are using > COTS development tools that ONLY know pserver. They don't like it > either, but it's required for the project they're working on. So, > while pserver sucks, it's necessary in this case. > > > However, unless I am sorely mistaken, by this point, there's no > > need to set up inetd and what you have is a CVS repository, but > > *not* a pserver. > > What I've decided to do since I can't make this work ('cause I'm an > idiot) and pserver is insecure and sucks, I'm going to set local > passwords for users that require pserver that are different from > their LDAP password. That way, their LDAP password won't go in the > clear. > > Thanks for you input. > -ME > > > !DSPAM:1,460aa359109502517112723! -- Vijay Sankar ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: +1 (204) 885-9535, E-Mail: [EMAIL PROTECTED]