On Wed, Mar 28, 2007 at 12:45:04PM -0400, Mike Erdely wrote: > Joachim Schipper wrote: > >On Tue, Mar 27, 2007 at 04:49:05PM -0400, Mike Erdely wrote: > >>I'm trying to get login_ldap to work with cvs pserver (run out of inetd). > >I think you are misunderstanding some things, or doing something that > >doesn't work; however, since I've never tried to set up a pserver, you'd > >best check what I'm going to say next. > > I tried to give as much info as I could... > > >First, read login.conf(5), and note that just adding the above isn't > >going to help any. You must define a new login class, at least, and > >change master.passwd(5) to make sure the appropriate user has your newly > >defined login class (the value of 'appropriate' depends on whether or > >not the stuff below is correct...). > > I did read login.conf(5) and I must have missed something. But, I think > you're not understanding how this stuff works:
Quite possibly, hence the above caveat. > 1. I installed the login_ldap package. > 2. I added a ldap section to login.conf > 3. I configured my users to be part of the ldap class (using vipw). > Users have no local password set. > 4. I tested using CVS over SSH and it works as expected. > 5. I tried using pserver and cannot authenticate. > 6. I set a local password that is different from my ldap password (ssh > still uses ldap. sudo still uses ldap). > 7. I tried pserver and was able to authenticate with the local password > but not ldap's password. > > I had previously had a similar problem with ftp until I made this change > to login.conf: > - auth-ftp-defaults:auth-ftp=password: > + auth-ftp-defaults:auth-ftp=-ldap: > > >Then, you should have whatever daemon your users use to connect with the > >usual BSD login mechanism (which might be called bsdauth, or whatever). > >I don't believe GNU CVS does that, and OpenCVS doesn't do authentication > >at all. Your best bet is probably setting up ssh; sshd uses the BSD > >authentication routines by default. > > You would think that the daemon would use "the usual BSD login > mechanism" but ftpd doesn't. And pserver running out of inetd doesn't > either. I don't know if the fact that I'm using inetd for pserver has > any bearing on this issue, but I thought giving all information would be > helpful. Actually, ftpd does. inetd doesn't do authentication at all, and pserver... well, see below. > I know my "best bet" is using ssh. I'd much rather use ssh. But you > can't always do what you want. Some of my 50 developers are using COTS > development tools that ONLY know pserver. They don't like it either, > but it's required for the project they're working on. So, while pserver > sucks, it's necessary in this case. > > >However, unless I am sorely mistaken, by this point, there's no need to > >set up inetd and what you have is a CVS repository, but *not* a pserver. > > What I've decided to do since I can't make this work ('cause I'm an > idiot) and pserver is insecure and sucks, I'm going to set local > passwords for users that require pserver that are different from their > LDAP password. That way, their LDAP password won't go in the clear. That is a good solution. The problem is, in fact, rather simple: pserver does, in fact, not use bsd authentication. This is documented in http://ximbiot.com/cvs/manual/cvs-1.12.13/cvs_2.html#SEC31 and elsewhere; however, that page also suggests that you could create a custom password file. Maybe a small script is in order (get 'cvspass' from LDAP, format text file, mv it over the old one, repeat every x minutes)? Anyway, good luck, and let us know if you have any more problems. Joachim