On Jan 14, 2006, at 4:41 PM, Allan Spagnol Comar wrote:
thak you all. now I really understand what about PAM and LDAP.
The upshot of all this is.....if you have more than 5 computers that
you want to all have the same usernames and passwords, ldap and nis,
etc might be more than you need. rsyncing /etc/passwd and /etc/
shadow is probably going to be sufficient for a very small network.
beyond 5 or so computers, the other methods start to earn their
way. no matter what, though, pam stays in the soluution stack.
On 1/13/06, John Jolet <[EMAIL PROTECTED]> wrote:
On Jan 13, 2006, at 2:37 PM, Jose Gonzalez Gomez wrote:
2006/1/13, John Jolet <[EMAIL PROTECTED]>:
On Jan 13, 2006, at 11:45 AM, Allan Spagnol Comar wrote:
thanks. I believe I am starting to understand this.
I was seeing that ldap can authenticate in a lot of types, like ,
databases, files, and PAM do some things like that too.... or am I
wrong ?
as far as I know you are wrong. ldap is an authentication
mechanism. it stores usernames, passwords, and much more.
LDAP is *not* an authentication mechanism. LDAP stands for
Lightweight
Directory Access Protocol, so LDAP is a protocol you use to access
data
stored in a structured way, called directory. An LDAP directory is a
directory that may be accessed using LDAP. An LDAP server is a
server that
serves its data using LDAP. LDAP servers are used for a lot of
things, and
two of them may be single sign on or centralized authentication
(they are
different although related things).
You are correct...I was attempting to highlight the distinction
between a
security storage mechanism (which is what I should have said) and a
mechanism that does the actual authentication.
To access data in a directory you may have to authenticate to
access the
data. This authentication can be done in several ways, and one of
them is
called simple bind: in this case you provide a path to locate an
object in
the directory and a password and the server "compares" the
password provided
with the password stored in the specified object. IIRC the PAM-
LDAP module
uses simple bind to authenticate an user trying to gain access to the
system. This is, the PAM module takes the provided user and
password and
tries to authenticate itself against the LDAP server using the
simple bind
mechanism, translating the user into a path to locate the object
representing that user in the directory.
BIG WARNING: Don't do this unless you're using simple bind over SSL
protected connections unless you want your passwords to travel
(almost?) as
clear text through the network.
This MIGHT also not be a security risk if the ldap server and the
service
attempting to authenticate are on the same server. I usually did
simple
bind on the ldap server itself, and tls/ssl from all the other
servers.
HTH
Jose
--
An application asked:
"Requeires Windows 9x, NT4 or better",
so I´ve installed Linux
--
gentoo-user@gentoo.org mailing list
--
gentoo-user@gentoo.org mailing list
