Hi!
In the release notes it is said RHDS will replace OpenLDAP. However, I can only find OpenLDAP in CentOS5. I tried to google the web but it returned nothing useful. Does anyone know about this? Thanks.
Regards, Wei Yu
On Mon, May 28, 2007 at 05:04:32PM +0800, Wei Yu wrote:
Hi!
In the release notes it is said RHDS will replace OpenLDAP.
It says OpenLDAP will be deprecated in the next release *after* RHEL 5.
However, I can only find OpenLDAP in CentOS5.
I also can only find OpenLDAP in RHEL5.
I tried to google the web but it returned nothing useful. Does anyone know about this? Thanks.
AFAIK, RedHat Directory Server is sold, and may have some parts that haven't been open sourced yet.
But there's Fedora Directory Server, that I've been using: http://directory.fedoraproject.org/wiki/Download
There's also a new package being developed in extras. You'll require: - fedora-ds-base - icu - svrcore - mozldap - perl-Mozilla-LDAP - nspr - nss
The installer in that package is ds_newinst.pl, and requires a file argument with something like: [General] FullMachineName=`hostname` SuiteSpotUserID=nobody ServerRoot=/usr/lib/fedora-ds [slapd] ServerPort=389 ServerIdentifier=`hostname -s` Suffix=dc=example,dc=com RootDN=cn=Directory Manager RootDNPwd=clear_text_password
Luciano Rocha wrote:
AFAIK, RedHat Directory Server is sold, and may have some parts that haven't been open sourced yet.
But there's Fedora Directory Server, that I've been using: http://directory.fedoraproject.org/wiki/Download
There's also a new package being developed in extras. You'll require:
- fedora-ds-base
- icu
- svrcore
- mozldap
- perl-Mozilla-LDAP
- nspr
- nss
The installer in that package is ds_newinst.pl, and requires a file argument with something like: [General] FullMachineName=`hostname` SuiteSpotUserID=nobody ServerRoot=/usr/lib/fedora-ds [slapd] ServerPort=389 ServerIdentifier=`hostname -s` Suffix=dc=example,dc=com RootDN=cn=Directory Manager RootDNPwd=clear_text_password
I was looking at openldap to change my old lan that is working with NIS and NFS to have an LDAP with some secure authentication system. All thin on CentOS.
Should I look at Directory server?
I see it has a graphical interface to configure, which is pretty good (haven't seen anything like that in LDAP).
On Mon, May 28, 2007 at 08:38:02AM -0300, Martin Marques wrote:
I was looking at openldap to change my old lan that is working with NIS and NFS to have an LDAP with some secure authentication system. All thin on CentOS.
Should I look at Directory server?
Directory Server has a very powerful access control mechanism[19, and supports multi-master replication.
However, openldap has a more intelligent schema parser. Directory Server's schema are strict ldif, and you'll need to convert most schemas to its format (samba's, bind's, etc.). It's not hard, and there are some scripts that help with that[2].
I see it has a graphical interface to configure, which is pretty good (haven't seen anything like that in LDAP).
Fedora Directory Server 1.0.x include the graphical admin console, the new 1.1.x, following FHS and using system's packages (like dbx, nss, nspr) didn't last time I checked. But it's a work in progress, so that might have changed in the mean time.
But I haven't used the graphical console, so I can't comment about that.
I'm using FDS for replicated dns, users and dhcp servers, and also for an internal Xen control script that uses ldap.
If you want to store only user information, without replication, then openldap is good enough.
[1] here are ACIs that I'm using, that allow a specific user to change all users passwords (including for samba), and another specific user to read them: # Users dn: ou=Users, dc=dc, dc=aeiou, dc=pt ou: Users objectClass: top objectClass: organizationalUnit aci: (target="ldap:///uid=*,ou=Users,dc=sample,dc=com")(targetattr=*) (version 3.0;acl "user manager"; allow (read,write,add,delete,search,compare) userdn="ldap:///uid=uman,ou=Users,dc=sample,dc=com";) aci: (targetattr="sambaLMPassword || sambaNTPassword")(version 3.0;acl "vpn info access"; allow (read,search,compare) userdn="ldap:///uid=radius, ou=Users,dc=sample,dc=com"; deny (read,search,compare) (userdn!="ldap:///uid=radius,ou=Users,dc=sample,dc=com" and userdn!="ldap:///uid=uman,ou=Users,dc=sample,dc=com");)
[2] http://directory.fedoraproject.org/download/ol-schema-migrate.pl
Will RHDS be better in integrating with other programs? For example the MTA, apache, etc. Does it have a built-in configuration tool for these tasks? I am using OpenLDAP and I found it is really a boring task to enable LDAP support for those programs one by one.
On 5/28/07, Luciano Rocha strange@nsk.no-ip.org wrote:
On Mon, May 28, 2007 at 08:38:02AM -0300, Martin Marques wrote:
I was looking at openldap to change my old lan that is working with NIS
and
NFS to have an LDAP with some secure authentication system. All thin on CentOS.
Should I look at Directory server?
Directory Server has a very powerful access control mechanism[19, and supports multi-master replication.
However, openldap has a more intelligent schema parser. Directory Server's schema are strict ldif, and you'll need to convert most schemas to its format (samba's, bind's, etc.). It's not hard, and there are some scripts that help with that[2].
I see it has a graphical interface to configure, which is pretty good (haven't seen anything like that in LDAP).
Fedora Directory Server 1.0.x include the graphical admin console, the new 1.1.x, following FHS and using system's packages (like dbx, nss, nspr) didn't last time I checked. But it's a work in progress, so that might have changed in the mean time.
But I haven't used the graphical console, so I can't comment about that.
I'm using FDS for replicated dns, users and dhcp servers, and also for an internal Xen control script that uses ldap.
If you want to store only user information, without replication, then openldap is good enough.
[1] here are ACIs that I'm using, that allow a specific user to change all users passwords (including for samba), and another specific user to read them: # Users dn: ou=Users, dc=dc, dc=aeiou, dc=pt ou: Users objectClass: top objectClass: organizationalUnit aci: (target="ldap:///uid=*,ou=Users,dc=sample,dc=com")(targetattr=*) (version 3.0;acl "user manager"; allow (read,write,add,delete,search,compare) userdn="ldap:///uid=uman,ou=Users,dc=sample,dc=com";) aci: (targetattr="sambaLMPassword || sambaNTPassword")(version 3.0;acl "vpn info access"; allow (read,search,compare) userdn="ldap:///uid=radius, ou=Users,dc=sample,dc=com"; deny (read,search,compare) (userdn!="ldap:///uid=radius,ou=Users,dc=sample,dc=com" and userdn!="ldap:///uid=uman,ou=Users,dc=sample,dc=com");)
[2] http://directory.fedoraproject.org/download/ol-schema-migrate.pl
-- lfr 0/0
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, May 28, 2007 at 10:48:48PM +0800, Wei Yu wrote:
Will RHDS be better in integrating with other programs? For example the MTA, apache, etc. Does it have a built-in configuration tool for these tasks?
No, not that I'm aware of.
I am using OpenLDAP and I found it is really a boring task to enable LDAP support for those programs one by one.
If there are any utilities for Directory Server, then they should work also for OpenLDAP. Only schema and very lowlevel functions like replication configuration would be dependent on the server.
Wei Yu wrote:
Will RHDS be better in integrating with other programs? For example the MTA, apache, etc. Does it have a built-in configuration tool for these tasks?
Speaking of apache, is there some reason mod_auth_pam or some variation isn't standard in distributions where pam is the system authentication method? Shouldn't you configure PAM instead of every individual program?
I typically like having my website auth separate from my system auth -- more often than not, the web users have nothing to do with the people that administer the machine.
On 5/28/07, Les Mikesell lesmikesell@gmail.com wrote:
Wei Yu wrote:
Will RHDS be better in integrating with other programs? For example the MTA, apache, etc. Does it have a built-in configuration tool for these tasks?
Speaking of apache, is there some reason mod_auth_pam or some variation isn't standard in distributions where pam is the system authentication method? Shouldn't you configure PAM instead of every individual program?
-- Les Mikesell lesmikesell@gmail.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Gary Richardson wrote:
Will RHDS be better in integrating with other programs? For example the MTA, apache, etc. Does it have a built-in configuration tool for these tasks?
Speaking of apache, is there some reason mod_auth_pam or some variation isn't standard in distributions where pam is the system authentication method? Shouldn't you configure PAM instead of every individual program?
I typically like having my website auth separate from my system auth - more often than not, the web users have nothing to do with the people that administer the machine
PAM provides different authentication and account schemes, so you can easily check passwords for things like web services without providing login accounts. Or, if it is an intranet providing many services for the same set of users you can combine them if you want. The point is that it gives you a common way to configure authentication/authorization and to combine multiple methods, like using local accounts in addition to one or more network schemes.
Could you give more details? I am not familiar with PAM. I know it can use some "plugged" auth methods to do some job, but I do not know which plug is suitable. What I want is just like Richardson's remarks. I want to use two auth methods for web users and users who can have a shell, which the former will care less about the security of the password. e.g. two different passwords for them. I do want to know if there are better solutions.
Regards, Wei Yu
On 5/29/07, Les Mikesell lesmikesell@gmail.com wrote:
Gary Richardson wrote:
Will RHDS be better in integrating with other programs? For example the MTA, apache, etc. Does it have a built-in
configuration
tool for these tasks?
Speaking of apache, is there some reason mod_auth_pam or some variation isn't standard in distributions where pam is the system authentication method? Shouldn't you configure PAM instead of every individual
program?
I typically like having my website auth separate from my system auth - more often than not, the web users have nothing to do with the people that administer the machine
PAM provides different authentication and account schemes, so you can easily check passwords for things like web services without providing login accounts. Or, if it is an intranet providing many services for the same set of users you can combine them if you want. The point is that it gives you a common way to configure authentication/authorization and to combine multiple methods, like using local accounts in addition to one or more network schemes.
-- Les Mikesell lesmikesell@gmail.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Wei Yu wrote:
Could you give more details? I am not familiar with PAM. I know it can use some "plugged" auth methods to do some job, but I do not know which plug is suitable.
If you are running Centos, all of your system authentication is probably being done by PAM for all programs that take a login and password except for apache. If you run 'authconfig' you can set one or more methods that are then used by everything. However, each service may still be configured separately. If you look in the /etc/pam.d directory you will see a file for each service that contains the steps to follow. The references to system-auth include the list built by authconfig - but you can change it per file if you want.
What I want is just like Richardson's remarks. I want to use two auth methods for web users and users who can have a shell, which the former will care less about the security of the password. e.g. two different passwords for them. I do want to know if there are better solutions.
If you really want your web access to be separate, PAM may not be the way to go. Apache has a large number of internal authentication and authorization modules that can be used instead. However, if you want to combine them, you can install the mod_auth_pam apache module and use a /etc/pam.d/httpd file like:
#%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_permit.so
This uses the set of steps configured by authconfig to check a login/password pair but does not require any account info. In my case I have smb authentication against a windows domain plus local linux accounts configured for the system. (The local account access requires making the /etc/shadow file readable by apache which is a downside). This lets anyone in the windows domain log in for web services but services like ssh or other login facilities will require account entries that won't exist unless I add users to the system. In the latter case, either the domain or local passwords will work.
I see. In summary, PAM is still difficult for using two passwords for two different ways, right? I will try to read more about PAM to see if so. Thanks.
On 5/30/07, Les Mikesell lesmikesell@gmail.com wrote:
Wei Yu wrote:
Could you give more details? I am not familiar with PAM. I know it can use some "plugged" auth methods to do some job, but I do not know which plug is suitable.
If you are running Centos, all of your system authentication is probably being done by PAM for all programs that take a login and password except for apache. If you run 'authconfig' you can set one or more methods that are then used by everything. However, each service may still be configured separately. If you look in the /etc/pam.d directory you will see a file for each service that contains the steps to follow. The references to system-auth include the list built by authconfig - but you can change it per file if you want.
What I want is just like Richardson's remarks. I want to use two auth methods for web users and users who can have a shell, which the former will care less about the security of the password. e.g. two different passwords for them. I do want to know if there are better solutions.
If you really want your web access to be separate, PAM may not be the way to go. Apache has a large number of internal authentication and authorization modules that can be used instead. However, if you want to combine them, you can install the mod_auth_pam apache module and use a /etc/pam.d/httpd file like:
#%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_permit.so
This uses the set of steps configured by authconfig to check a login/password pair but does not require any account info. In my case I have smb authentication against a windows domain plus local linux accounts configured for the system. (The local account access requires making the /etc/shadow file readable by apache which is a downside). This lets anyone in the windows domain log in for web services but services like ssh or other login facilities will require account entries that won't exist unless I add users to the system. In the latter case, either the domain or local passwords will work.
-- Les Mikesell lesmikesell@gmail.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Wei Yu wrote:
I see. In summary, PAM is still difficult for using two passwords for two different ways, right? I will try to read more about PAM to see if so. Thanks.
It isn't that you can't use it that way but there isn't much point. The idea is for PAM to provide a common way to configure multiple services to use the same method(s). If you are configure one service to use one different method that the service can do directly, PAM is just an unnecessary layer.
Yes, that is what I want to do. But a little difference is that I want two different auth layers (one less frequently used than the other), not one. Only one layer is not enough, but one for each application are too many. I want a trade-off between security and convience, for some of the users always like to store their common used password carelessly. However, I do not know if I am going on the right way.
Regards, Wei Yu
On 5/30/07, Les Mikesell lesmikesell@gmail.com wrote:
Wei Yu wrote:
I see. In summary, PAM is still difficult for using two passwords for two different ways, right? I will try to read more about PAM to see if so. Thanks.
It isn't that you can't use it that way but there isn't much point. The idea is for PAM to provide a common way to configure multiple services to use the same method(s). If you are configure one service to use one different method that the service can do directly, PAM is just an unnecessary layer.
-- Les Mikesell lesmikesell@gmail.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Wei Yu wrote:
Yes, that is what I want to do. But a little difference is that I want two different auth layers (one less frequently used than the other), not one. Only one layer is not enough, but one for each application are too many. I want a trade-off between security and convience, for some of the users always like to store their common used password carelessly. However, I do not know if I am going on the right way.
For apache only, look through the mod_auth_* modules documented here: http://httpd.apache.org/docs/2.0/mod/. (or 2.2 if you are running Centos5). mod_auth_dbm is fast for a single machine - if you have a network farm you'd probably want LDAP. There are also other 3rd party modules. Here's a discussion of mod_auth_pam that I found with google: http://rc.vintela.com/topics/apache/mod_pam/
Luciano Rocha wrote:
There's also a new package being developed in extras. You'll require:
- fedora-ds-base
- icu
- svrcore
- mozldap
- perl-Mozilla-LDAP
- nspr
- nss
The installer in that package is ds_newinst.pl, and requires a file argument with something like: [General] FullMachineName=`hostname` SuiteSpotUserID=nobody ServerRoot=/usr/lib/fedora-ds [slapd] ServerPort=389 ServerIdentifier=`hostname -s` Suffix=dc=example,dc=com RootDN=cn=Directory Manager RootDNPwd=clear_text_password
Is it possible to make this synchronize accounts with an active directory server and maintain the same password in both the samba and posix accounts for the same user?
On Mon, May 28, 2007 at 11:51:43AM -0500, Les Mikesell wrote:
Is it possible to make this synchronize accounts with an active directory server and maintain the same password in both the samba and posix accounts for the same user?
There's documentation about that, but I haven't tried it: http://directory.fedoraproject.org/wiki/Howto:WindowsSync
Luciano Rocha wrote:
On Mon, May 28, 2007 at 11:51:43AM -0500, Les Mikesell wrote:
Is it possible to make this synchronize accounts with an active directory server and maintain the same password in both the samba and posix accounts for the same user?
There's documentation about that, but I haven't tried it: http://directory.fedoraproject.org/wiki/Howto:WindowsSync
I thought that the last time I looked at this it didn't sync the posix account schema.
-
Gary Richardson -
Les Mikesell -
Luciano Rocha -
Martin Marques -
Wei Yu