|Les Stott||Mar 6, 2001 7:04 pm|
|Sam Varshavchik||Mar 6, 2001 7:48 pm|
|Patrick Price||Mar 7, 2001 12:01 pm|
|Leonid Andreev||Mar 7, 2001 12:28 pm|
|Leonid Andreev||Mar 7, 2001 12:38 pm|
|Brad Dameron||Mar 7, 2001 1:01 pm|
|Brad Dameron||Mar 7, 2001 1:20 pm|
|Leonid Andreev||Mar 7, 2001 1:49 pm|
|Nerijus Baliunas||Mar 7, 2001 3:02 pm|
|Ben Beuchler||Mar 7, 2001 3:25 pm|
|Sam Varshavchik||Mar 7, 2001 3:40 pm|
|Nerijus Baliunas||Mar 7, 2001 4:37 pm|
|Nerijus Baliunas||Mar 7, 2001 4:43 pm|
|Sam Varshavchik||Mar 7, 2001 5:12 pm|
|Patrick Price||Mar 7, 2001 6:02 pm|
|Patrick Price||Mar 7, 2001 6:04 pm|
|Clint Bullock||Mar 12, 2001 8:23 am|
|Georg Lutz||Mar 12, 2001 3:29 pm|
|Subject:||Re: [courier-users] Best unix distributed authentication method?|
|From:||Leonid Andreev (leo...@latte.harvard.edu)|
|Date:||Mar 7, 2001 12:28:53 pm|
my, maybe somewhat biased, opinion is NSS/PAM_LDAP *RULES*, definitely go for it. It probably took me a few days to figure out how to set things up efficiently/securely, etc., but I'm really happy with this setup now.
The latest distributions of nss_ldap and pam_ldap from padl.com and openldap2 from www.openldap.org; or, you can get the RPMs for both ldap and nss/pam_ldap at open-it.org (check out http://www.open-it.org/ldap-nis.html). nss/pam_ldap RPMs there are a couple of minor version numbers behind the latest releases.
RedHat Linux 6.2/7 comes with (nss|pam)_ldap preinstalled, but their RPMs are way behind the latest versions, so you'll want to compile your own. You'll need OpenSSL (comes with RedHat 7, available as an RPM for RH 6.2, compilable for most other Unixes).
If you go with openldap, you definitely want to use openldap2. You really need SSL support (PAM needs to send passwords to the server in the clear) and openldap1 doesn't really support SSL, there are workarounds/hacks but they are messy.
But openldap2 works like a charm, at least for me. A few words of caution: I only did this on Linux and I understand that it's somewhat more difficult to make it all work under Solaris or other Unixes (Unices? :) . I've never tried this with other LDAPs, although it's reported to work just fine with Netscape LDAP. And, once again, it actually did take me a FEW DAYS to figure everything out; so this would be a real project.
And, of course, I'm also using OpenLDAP with courier, for both accounts and aliases, and quite happy with this setup too.
P.S. Speaking of PAM, it's a very good idea to have all your services that authenticate users do it through PAM, regardless of whether you store the accounts in NIS, LDAP, /etc/files or a combination of the above. RedHat linux comes configured this way (so if you add pam_ldap support you only need to add a few lines to the existing PAM config files).
On Wed, 7 Mar 2001, Patrick Price wrote:
This is a little off topic of Courier per se ....
If someone can point me in the right direction for FAQ's or HOWTO's ...
Presently I use NIS for unix username/password distribution, Radius using MySQL, and some authuserdb stuff for Courier.
What I need to know is, what good is LDAP? PAM? And which combination of these is best for a fault-tolerant, distributed password system which would support unix logins, ftp, radius, Courier, etc?
Key words being fault tolerant, distributed, and one administrative interface? Am I asking the impossible?
Here's what I have to deal with now:
1: /etc/passwd for unix logins, ftp 2: MySql for radius 3: authuserdb for virtual users for Courier 4: Rely on NIS to share /etc/passwd for multiple unix boxes
The administration of these is driving me crazy, and if NIS goes down I'm screwed.
Thanks for any input!
_______________________________________________ courier-users mailing list cour...@lists.sourceforge.net http://lists.sourceforge.net/lists/listinfo/courier-users