On Wednesday 20 July 2005 02:41 pm, Nils Erik Svangård wrote:
> I cant! I dont have the authority to do that.
> I have setup NIS which authenticate via the Kerberos server. I guess
> it would be easiest to just add a group in NIS but LDAP is the future
> and there is such nice GUIs.
> Where do I prelogin scripting?
> Lets say a user enter a username and a password: First it checks via
> yp if the user is in passwd and then try to authenitcate via the
> kerberos server (via pam_krb5).
> What I want is a
> if(in_ldap(username))
> {
> if(check_with_yp(username))
> {
> if(krb5_authenticate(username,password)
> {
> login()
> }
> }
> }
> Where do I do this kind of magic? Somewhere with Pam?
>
> /nisse
>
> On 7/20/05, Carlos Rodrigues <[EMAIL PROTECTED]> wrote:
> > Nils Erik Svangård wrote:
> > > Hello!
> > > snip < < <
That is possibly the most absolutely horrifying setup I've ever heard of, and
you have my deepest, most sincere sympathies at having to deal with not only
LDAP/Kerberos but also NIS. It's also worth noting that using NIS is probably
ruining any security you're getting from LDAP/SSL or Kerberos... but with
that out of the way, I think I can help. I'm not hugely familiar with NIS, so
don't assume anything here is true.
Before you start, get a root terminal on your machine and leave it open. If
you make a mistake or my instructions are wrong, you can lose login access to
the system... (don't ever forget this when working on headless remote
systems... bad experiences)
Okay, first you need to make the LDAP information available to the Name
Service Switch (NSS) part of your system, which will let you check the group
information and such without any particular black magic -- it'll be the same
as if it was in /etc/groups. For this, you want to install and configure
libnss-ldap (left to the reader), then modify your /etc/nsswitch.conf file so
that the 'group:' line looks like this:
group: files ldap
If you haven't already configured the NSS for NIS, do that too. Your
nsswitch.conf file should probably look something like this now:
passwd: files nis
group: files ldap
shadow: files nis
... (rest of the file unchanged)
That will get shell/home information from NIS, group info from LDAP, and
shadow (passwords) from NIS which you say authenticates via Kerberos (are you
sure there aren't any passwords getting tossed around in plain text?). Make
sure this is all working perfectly -- you should be able to 'getent passwd
<username>' for a user in the NIS system and have it return his data, and you
should also be able to retrieve group info from LDAP with ldapsearch. You
shouldn't need any PAM magic if you're using NIS and it's configured
properly. Then, to restrict login to a certain group, you need some lines
in /etc/login.access looking something like:
-:ALL:ALL
+:groupallowedtologin:ALL
... but I'm not hugely familiar with that file, man login.access for more on
that.
I've never done anything quite like this (strictly LDAPS/Kerberos here) but I
think that information should at least get you going in the right direction.
I'll say again, however, that the setup you're working with is basically a
trainwreck and is probably leaking passwords and information all over the
place unless it's very carefully designed. Complain to someone with authority
and try to get the NIS information moved into LDAP -- it's generally much
nicer to administrate.
Whew! HTH.
--
Ryan Schultz
-> floating point exception: divide by cucumber
