Militantly FREE software support.
Militantly FREE software support.
NavigationUser loginSpam?See spam posts on this site? If so, please don't reply to the spam! Instead, just report the URL to the webmaster. |
ldap + pam howto?Hi, Thanks a lot! -- Bookmark/Search this post with: 
|
• Debian Weekly News - Essential reading for any Debian fan. • Documentation - Debian's own authoritative documentation, including installation docs. • FAQ - Got questions about Debian GNU/Linux? • From Windows to Debian - Tips for converting from Windows to Debian GNU/Linux • Package of the Day. • Security - Security information and alerts! • Bug System - Bug tracking and instructions on reporting bugs. • CD Images - Where/how to get Debian GNU/Linux CD images. • Mailing List Subscription - Dozens of Debian-specific support mailing lists! • Mailing List Archives - Searchable archives of Debian's mailing lists. • Free Software Guidelines - Learn Debian's idea of what "free" software really is. • Package Listings - A very valuable tool: searchable, integrated with bug reports. • Apt-Get Sources - Sources for *.debs which are not official Debian packages. • Backports - Unofficial new software packages that have been "back-ported" to work with the Debian stable/official release. • Developer's Corner - Info about the people behind Debian, policies, and how to package *.deb files.
ldap + pam howto?
On Tue, Jan 30, 2007 at 05:04:48PM +0000, Rakotomandimby Mihamina wrote:
> Hi,
> I am using Testing, and I want to setup the debian way an LDAP + pam
> authentication system for system users.
> Would you know a recent howto talking about that?
> I dont need generic howto, I am interested in the debian specific way.
>
Do you need to configure just the client, just the server, or both?
Regards,
-Roberto
--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com
ldap + pam howto?
Roberto C. Sanchez wrote:
> On Tue, Jan 30, 2007 at 05:04:48PM +0000, Rakotomandimby Mihamina wrote:
>> Hi,
>> I am using Testing, and I want to setup the debian way an LDAP + pam
>> authentication system for system users.
>> Would you know a recent howto talking about that?
>> I dont need generic howto, I am interested in the debian specific way.
>>
>
> Do you need to configure just the client, just the server, or both?
>
> Regards,
>
> -Roberto
>
Hmmm.... maybe if I reply with something helpful I can also
piggy-back a question of my own? }:)
I was messing around with exactly the same thing a while ago,
and this was the best How-To I found. It is for Sarge, but that
didn't seem to matter. As much as I sing the praises of this
one, it wasn't perfect. I seem to recall using several How-To's
because none of them seemed to have all the answers.
http://www.moduli.net/pages/sarge-ldap-auth-howto
Now here's my question:
I never could figure out the #### SASL stuff. I didn't even get
the concept. I thought I did several times, then I'd read
something else and it wouldn't make sense again. So let's try
this slowly.... =)
The LDAP client usually just sends all data (passwords
included!) in the clear to the LDAP server. This is bad. SASL
encrypts all the communication between the client and server.
Okay, now if I've at least got that much right....
1) How do I make the client and server use SASL? I was forever
at a loss on this. Never could find a How-To for it or
anything. (Every How-To I found on LDAP started off with
something to the effect of "SASL is beyond the scope of this
document" =P )
2) Once I've enabled SASL (enabled? Is that even the right
term?) how can I see if it's working?
Thanks, and I hope I'm not developing an irritating habit of
thread hi-jacking, =)
- GM
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.28/672 - Release Date: 2/6/2007 10:22 AM
--
ldap + pam howto?
On Tue, Feb 06, 2007 at 09:22:40AM -0500, Grok Mogger wrote:
>
> The LDAP client usually just sends all data (passwords
> included!) in the clear to the LDAP server. This is bad. SASL
> encrypts all the communication between the client and server.
>
Right, but your passwords should be hashed anyways.
> Okay, now if I've at least got that much right....
>
> 1) How do I make the client and server use SASL? I was forever
> at a loss on this. Never could find a How-To for it or
> anything. (Every How-To I found on LDAP started off with
> something to the effect of "SASL is beyond the scope of this
> document" =P )
>
Because even though SASL is the "simple" authentication and security
layer, it is far from simple.
> 2) Once I've enabled SASL (enabled? Is that even the right
> term?) how can I see if it's working?
>
Personally, I just force everything (client and server) into using SSL.
Then, when I want to do stuff like use the LDAP backend to also do
authentication for parts of my website (that way users can use the same
password to login and to access the site), I know that no matter what,
everything is ecrypted. Also, IIRC, SASL can only encrypt the
authentication part. So everything after that, including queries, are
in the clear.
Regards,
-Roberto
--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com
ldap + pam howto?
Roberto C. Sanchez wrote:
> On Tue, Feb 06, 2007 at 09:22:40AM -0500, Grok Mogger wrote:
>> The LDAP client usually just sends all data (passwords
>> included!) in the clear to the LDAP server. This is bad. SASL
>> encrypts all the communication between the client and server.
>>
> Right, but your passwords should be hashed anyways.
>
>> Okay, now if I've at least got that much right....
>>
>> 1) How do I make the client and server use SASL? I was forever
>> at a loss on this. Never could find a How-To for it or
>> anything. (Every How-To I found on LDAP started off with
>> something to the effect of "SASL is beyond the scope of this
>> document" =P )
>>
> Because even though SASL is the "simple" authentication and security
> layer, it is far from simple.
>
>> 2) Once I've enabled SASL (enabled? Is that even the right
>> term?) how can I see if it's working?
>>
> Personally, I just force everything (client and server) into using SSL.
> Then, when I want to do stuff like use the LDAP backend to also do
> authentication for parts of my website (that way users can use the same
> password to login and to access the site), I know that no matter what,
> everything is ecrypted. Also, IIRC, SASL can only encrypt the
> authentication part. So everything after that, including queries, are
> in the clear.
>
> Regards,
>
> -Roberto
>
So forget SASL and just send everything through an SSL tunnel?
So you'd do something like this on the client... "ssh -L
7777:LDAPServer:$LDAPServerPORT -N user@LDAPServer", and then
setup the LDAP client to send everything to the client's own
7777 port? And do something similar on the server. Is that right?
The thought had occurred to me, but SASL sounded like it was
what I was *supposed* to do. If someone experienced out there
is doing this though, then I'm fine with that. Sounds like it
might be a better solution anyway.
Thanks for helping me out,
- GM
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.28/672 - Release Date: 2/6/2007 10:22 AM
--
ldap + pam howto?
On Tue, Feb 06, 2007 at 10:56:11AM -0500, Grok Mogger wrote:
>
> So forget SASL and just send everything through an SSL tunnel?
> So you'd do something like this on the client... "ssh -L
> 7777:LDAPServer:$LDAPServerPORT -N user@LDAPServer", and then
> setup the LDAP client to send everything to the client's own
> 7777 port? And do something similar on the server. Is that right?
>
Nope, edit /etc/defaults/slapd and tell it to bind to
"ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
That tells it, clear text only on the loopback, SSL everywhere and also
the Unix domain socket (only accessible on the local filesystem if you
have the right permissions).
Of course, you will need to setup certificates. You can read the LDAP
admin guide and the SSL docs for that.
Regards,
-Roberto
--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com
ldap + pam howto?
Roberto C. Sanchez wrote:
> On Tue, Feb 06, 2007 at 10:56:11AM -0500, Grok Mogger wrote:
>> So forget SASL and just send everything through an SSL tunnel?
>> So you'd do something like this on the client... "ssh -L
>> 7777:LDAPServer:$LDAPServerPORT -N user@LDAPServer", and then
>> setup the LDAP client to send everything to the client's own
>> 7777 port? And do something similar on the server. Is that right?
>>
> Nope, edit /etc/defaults/slapd and tell it to bind to
> "ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
>
> That tells it, clear text only on the loopback, SSL everywhere and also
> the Unix domain socket (only accessible on the local filesystem if you
> have the right permissions).
>
> Of course, you will need to setup certificates. You can read the LDAP
> admin guide and the SSL docs for that.
>
> Regards,
>
> -Roberto
>
Hm, doesn't sound too bad. Cool, thanks!
- GM
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.28/672 - Release Date: 2/6/2007 10:22 AM
--
ldap + pam howto?
On Tue, Feb 06, 2007 at 09:22:40AM -0500, Grok Mogger wrote:
> Now here's my question:
> I never could figure out the #### SASL stuff. I didn't even get
> the concept. I thought I did several times, then I'd read
> something else and it wouldn't make sense again. So let's try
> this slowly.... =)
>
> The LDAP client usually just sends all data (passwords
> included!) in the clear to the LDAP server. This is bad. SASL
> encrypts all the communication between the client and server.
>
> Okay, now if I've at least got that much right....
>
> 1) How do I make the client and server use SASL? I was forever
> at a loss on this. Never could find a How-To for it or
> anything. (Every How-To I found on LDAP started off with
> something to the effect of "SASL is beyond the scope of this
> document" =P )
Does this help:
http://people.debian.org/~torsten/ldapnss.html
--
Chris.
======
Don't forget to check that your /etc/apt/sources.lst entries point to
etch and not testing, otherwise you may end up with a broken system once
etch goes stable.
--