Re: SSL packages (LDAP PAM NSS) +

Sat, 22 Sep 2001 19:57:55 -0500 

What I am wondering about is:
a) Does anyone maintain ssl versions of nss-, pam- ldap and openldap 2.0.1x?

Hello,


Over the last two days I just completed converting my development 
environment to a fully LDAP NSS/PAM environment in preparation of 
converting the entire data center.

I used the slapd, libpam-ldap, and libnss-ldap (plus dependencies) packages 
from Woody to do so. I also used the PADL migration tools (maybe someone 
should package these and put them as recommended for the two libXXX-ldap 
packages).

None of this supports SSL. However, you can get around this two ways, 
neither of which I have yet done:

1) Get the source packages and recompile all of them with SSL support enabled
2) Use stunnel (or SSH or whatever) to set up SSL tunneling


I don't intend to do either for now. If you find an easier way (a 
prepackaged .deb way, preferably) please let me know. I did investigate 
doing #1, but the sheer number of options to openldap combined with my 
minimal knowledge of changing Debian package configuration prior to the 
simple build, stopped me until I had more time on my hands.

On the other hand, I would be very interested to know if you or anyone has 
a PAM/NSS/LDAP installation on Debian using slave LDAP servers as hot 
backups. I haven't seen any documented way of doing this anywhere, such as 
providing a list of servers which can be attempted.

For PAM, however, I suppose it's relatively simple to do something like:

auth    sufficient      pam_ldap.so

auth    sufficient      pam_ldap.so config=/etc/pam_ldap-slave.conf 
try_first_pass

auth    required                pam_unix.so nullok try_first_pass

(Although I haven't tried it yet)


On the other hand, I do not yet see a way to do this with NSS. I would 
welcome pointers.

I would like to advise you to ensure at least a+r permissions on 
/etc/nsswitch.conf. If you do not, then simple things like getent networks 
will not work for non-root users. The installation recommends mode 0600 
which I found does NOT work because non-root users running programs using 
the glibc nss will not be able to get the answers from the now-depopulated 
/etc files.

Cheers,

Doug























					Reply via email to