Hi,

my, maybe somewhat biased, opinion is NSS/PAM_LDAP *RULES*, definitely go for it. It probably took me a few days to figure out how to set things up efficiently/securely, etc., but I'm really happy with this setup now.

The latest distributions of nss_ldap and pam_ldap from padl.com and openldap2 from www.openldap.org; or, you can get the RPMs for both ldap and nss/pam_ldap at open-it.org (check out http://www.open-it.org/ldap-nis.html). nss/pam_ldap RPMs there are a couple of minor version numbers behind the latest releases.

RedHat Linux 6.2/7 comes with (nss|pam)_ldap preinstalled, but their RPMs are way behind the latest versions, so you'll want to compile your own. You'll need OpenSSL (comes with RedHat 7, available as an RPM for RH 6.2, compilable for most other Unixes).

If you go with openldap, you definitely want to use openldap2. You really need SSL support (PAM needs to send passwords to the server in the clear) and openldap1 doesn't really support SSL, there are workarounds/hacks but they are messy.

But openldap2 works like a charm, at least for me. A few words of caution: I only did this on Linux and I understand that it's somewhat more difficult to make it all work under Solaris or other Unixes (Unices? :) . I've never tried this with other LDAPs, although it's reported to work just fine with Netscape LDAP. And, once again, it actually did take me a FEW DAYS to figure everything out; so this would be a real project.

And, of course, I'm also using OpenLDAP with courier, for both accounts and aliases, and quite happy with this setup too.

best,

-L.

P.S. Speaking of PAM, it's a very good idea to have all your services that authenticate users do it through PAM, regardless of whether you store the accounts in NIS, LDAP, /etc/files or a combination of the above. RedHat linux comes configured this way (so if you add pam_ldap support you only need to add a few lines to the existing PAM config files).

On Wed, 7 Mar 2001, Patrick Price wrote: