RE: [courier-users] Best unix distributed authentication method? - Leonid Andreev - net.sourceforge.lists.courier-users

18 messages in net.sourceforge.lists.courier-usersRE: [courier-users] Best unix distrib...

From	Sent On	Attachments
Les Stott	Mar 6, 2001 7:04 pm
Sam Varshavchik	Mar 6, 2001 7:48 pm
Patrick Price	Mar 7, 2001 12:01 pm
Leonid Andreev	Mar 7, 2001 12:28 pm
Leonid Andreev	Mar 7, 2001 12:38 pm
Brad Dameron	Mar 7, 2001 1:01 pm
Brad Dameron	Mar 7, 2001 1:20 pm
Leonid Andreev	Mar 7, 2001 1:49 pm
Nerijus Baliunas	Mar 7, 2001 3:02 pm
Ben Beuchler	Mar 7, 2001 3:25 pm
Sam Varshavchik	Mar 7, 2001 3:40 pm
Nerijus Baliunas	Mar 7, 2001 4:37 pm
Nerijus Baliunas	Mar 7, 2001 4:43 pm
Sam Varshavchik	Mar 7, 2001 5:12 pm
Patrick Price	Mar 7, 2001 6:02 pm
Patrick Price	Mar 7, 2001 6:04 pm
Clint Bullock	Mar 12, 2001 8:23 am
Georg Lutz	Mar 12, 2001 3:29 pm

Subject:	RE: [courier-users] Best unix distributed authentication method?
From:	Leonid Andreev (leo...@latte.harvard.edu)
Date:	Mar 7, 2001 1:49:18 pm
List:	net.sourceforge.lists.courier-users

On Wed, 7 Mar 2001, Brad Dameron wrote:

Woops. I think I sent a blank reply. Sorry.

But my answer to this is to use MySQL for everything as we do. Courier with Mysql using authvchkpw which then you can use vpopmail as your pop3 daemon. There are modules to allow WUFTPD, NCFTPD, and a few others for FTP auth via MySQL. Your radius is already using it. And there are mod's for login to allow use shell auth via Mysql. Want a finger daemon as well? There is a mod to allow finger info via MySql.

Hmm. All these modules seem to be application-specific, (i.e., you need a MySQL auth module for ftpd, another one for fingerd, yet another one for login...). The nss/pam_ldap solution seems to be more elegant -- it's a single system-wide plugin that you install once, and then *all* your services use it transparently; there are many services that need auth, other than ftp, login and finger (xdm/gdm/kde, passwd, ppp, samba, ssh and even xlock -- to name just a few); if you have to replace all of them with versions that support MySQL explicitely, it does sound like a pain in the butt. And you still need some kind of MySQL-aware NSS too, right? -- *most* unix programs want to map your numeric uid to the username, etc.

Well, I told you I was biased. :)

I guess people are going to start yelling at us for posting off-topic sometime soon :) . There's an ldap-nis mailing list (send a message "subscribe ldap-nis" to majo...@padl.com; the archives are at http://lists.padl.com/archive/ldap-nis), if you are interested.

-L.

Check out:

http://www.idi.ntnu.no/manualer/mySQL/manual_21.html

-----Original Message----- From: cour...@lists.sourceforge.net [mailto:cour...@lists.sourceforge.net]On Behalf Of Leonid Andreev Sent: Wednesday, March 07, 2001 12:29 PM To: cour...@lists.sourceforge.net Subject: Re: [courier-users] Best unix distributed authentication method?

Hi,

my, maybe somewhat biased, opinion is NSS/PAM_LDAP *RULES*, definitely go for it. It probably took me a few days to figure out how to set things up efficiently/securely, etc., but I'm really happy with this setup now.

The latest distributions of nss_ldap and pam_ldap from padl.com and openldap2 from www.openldap.org; or, you can get the RPMs for both ldap and nss/pam_ldap at open-it.org (check out http://www.open-it.org/ldap-nis.html). nss/pam_ldap RPMs there are a couple of minor version numbers behind the latest releases.

RedHat Linux 6.2/7 comes with (nss|pam)_ldap preinstalled, but their RPMs are way behind the latest versions, so you'll want to compile your own. You'll need OpenSSL (comes with RedHat 7, available as an RPM for RH 6.2, compilable for most other Unixes).

If you go with openldap, you definitely want to use openldap2. You really need SSL support (PAM needs to send passwords to the server in the clear) and openldap1 doesn't really support SSL, there are workarounds/hacks but they are messy.

But openldap2 works like a charm, at least for me. A few words of caution: I only did this on Linux and I understand that it's somewhat more difficult to make it all work under Solaris or other Unixes (Unices? :) . I've never tried this with other LDAPs, although it's reported to work just fine with Netscape LDAP. And, once again, it actually did take me a FEW DAYS to figure everything out; so this would be a real project.

And, of course, I'm also using OpenLDAP with courier, for both accounts and aliases, and quite happy with this setup too.

best,

-L.

P.S. Speaking of PAM, it's a very good idea to have all your services that authenticate users do it through PAM, regardless of whether you store the accounts in NIS, LDAP, /etc/files or a combination of the above. RedHat linux comes configured this way (so if you add pam_ldap support you only need to add a few lines to the existing PAM config files).

On Wed, 7 Mar 2001, Patrick Price wrote:

This is a little off topic of Courier per se ....

If someone can point me in the right direction for FAQ's or HOWTO's ...

Presently I use NIS for unix username/password distribution, Radius using MySQL, and some authuserdb stuff for Courier.

What I need to know is, what good is LDAP? PAM? And which combination of these is best for a fault-tolerant, distributed password system which would support unix logins, ftp, radius, Courier, etc?

Key words being fault tolerant, distributed, and one administrative interface? Am I asking the impossible?

Here's what I have to deal with now:

1: /etc/passwd for unix logins, ftp 2: MySql for radius 3: authuserdb for virtual users for Courier 4: Rely on NIS to share /etc/passwd for multiple unix boxes

The administration of these is driving me crazy, and if NIS goes down I'm screwed.

Thanks for any input!

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets