On Wed, 21 Feb 2007, L. V. Lammert wrote: > TTFR, but you missed the point I was making - LDAP is seldom used for > *machine authentication*, rather it is designed for applications like > email, file sharing, et al. > > Per your comment, it appears that the discontinuity lies with *local > logins*? Service/daemon usage of LDAP that does not use a local machine > login, then, would not be affected? > > I, for one, would never use LDAP for local logins - local logins are for > admins, and, as such, are few enough in number that LDAP would be more of a > pain than problem solver. Using MySQL, LDAP, BDB, et al for services such > as email, file-print sharing, possibly apache, should be independent of > local machine [logins], IMHO, reserving local users for admins. > > Lee
How about for authpf logins? Since OpenBSD ipsec implementation does not support authentication via username/password we can not use the 2-factor authentication system in place. Instead I can use an ssh login against ldap for my VPN users, then a dynanic PF rules gets added allowing udp port isakmp and proto esp from the users src ip. That way if the shared secret falls into the "wrong" hands the loss is mitigated. diana