Authentication of user accounts using LDAP

Contributed by jose on 2002-10-27 from the documentation dept.

Josh Steele writes:

"Good article/how-to for those interested:
http://www.webdaemons.org/~jamesp/openbsd_ldap.shtml "

I'm sure a lot of people with big sites who use LDAP will be happy to see this. A much easier way to coordinate logins.

(Comments are closed)

Comments

By Jeroen () on 2002-10-27 16:21

login_ldap might me interesting: http://www.ifost.org.au/~peterw

You still need entries in /etc/passwd because OpenBSD lacks nsswitch. Means double work, just like in the tutorial above :(
By blackmage () on 2002-10-27 17:41

not a recent article.

see login_ldap if you want do it directly.

or best kerberos for auth and LDAP for the rest.
By Anonymous Coward () on 2002-10-27 18:29

Duh. This is already on deadly.org. See http://www.deadly.org/article.php3?sid=20020421193332
By click46 () click46@operamail.com on 2002-10-27 20:06 www.genmay.net

...but why would one want to use LDAP? I'll admit I know barely anything about LDAP [I keep forgetting what the A stands for...heh] but whenever I come across an article about it, I've never gone "oh snap, now that would be cool". So tell me, why should someone use LDAP?
Comments
1. By Anonymous Coward () on 2002-10-27 20:31
  
  cause that would be cool. ;-)
2. By Anonymous Coward () on 2002-10-27 20:32
  
  cause that would be cool. ;-) Doh, screwed up on the /i
3. By atmos () on 2002-10-27 22:17
  
  http://www.openldap.org might help. It's just the nicities of centralized authentication, easier then maintaining passwd files on multiple boxes. Say you have a box running authpf acting as a wireless gateway. You also have an LDAP server handling your user map for the unix systems on your network. You could use your network wide logins to authenticate on the authpf machine, and it's less of a pain for the administrator and the user. If you were looking to do something like that, you might say "oh snap, now that would be cool."
  Comments
  1. By click46 () click46@operamail.com on 2002-10-28 03:46 mailto:click46@operamail.com
    
    but don't "directory" serivces have a lot more "fat" that just simple user authentication? I mean, technically I can do that with PAM and pgsql ;)
    
    /me reads openldap.org
    
    Comments
    
    By Peter () pboosten@hotmail.com on 2002-10-28 06:24 mailto:pboosten@hotmail.com
    
    That's because one can do much more with LDAP: I use it for authentication of my users for Linux, OpenBSD, FreeBSD, Apache, Squid, Sendmail plus I have a uptodate company phonebook.
    
    All my users are created once (well, actually, their accounts are created once :-D ).
    
    Peter
    
    Comments
    
    By click46 () click46@operamail.com on 2002-10-29 03:33 www.genmay.net
    
    ahh, but thats exactly my point. If I have no need for a company phonebook, then I can use pgsql and PAM to authenticate for Leenux, BSD, apache, squid, sendmail, ad nausem... without the phonebook "fat" :D
    
    Comments
    
    By Strog () on 2002-10-29 14:17
    
    psql isn't any lighter. Sure, you could do it either way. LDAP is a very flexible solution when combined with strong auth solutions. I think it has fairly untapped potential. I think Novell and Microsoft had the right idea with Directory Services. I might not necessarily agree with implementations but they are good. You can do so much more than user info and phone book.
    
    By Anonymous Coward () on 2002-10-29 16:16
    
    In a network under a couple hundred users, yeah LDAP is probably overkill. But in a large heterogenous network, it makes a lot of sense. Having a hierarchical directory to manage authentication, network mounts, printer services, user and machine groups, a contacts directory, etc. etc. all in one place can significantly decrease the costs of administration and support in a large enterprise or academic environment.
    Additionally, in an enterprise environment, commercial support is important. And LDAP is where many of the big vendors are going.
    
    At a lot of places with a strong unix userbase, NIS has been the standard for years for this purpose. In my experience, LDAP is increasingly becoming the solution to which many of these shops migrate.
    
    By atmos () on 2002-10-29 17:09
    
    pgsql suport ssl, that's a feature I'm quite fond of.
    
    Comments
    
    By atmos () on 2002-10-29 17:11
    
    err. I'm retarded, but does pgsql support ssl? that's what i meant to type there, but clicked submit without reading what I had typed. OpenLDAP's TLS/SSL stuff would be a reason I'd take LDAP over a DBMS.
    
    Comments
    
    By click46 () click46@operamail.com on 2002-10-29 18:37 www.genmay.net
    
    yes, it does support TLS/SSL
    
    By Dan () anonymous@coward.com on 2002-10-29 17:41 mailto:anonymous@coward.com
    
    But you cannot buy off-the-shelf products which have support for PGSQL authentication. LDAP is an Internet standard, SQL is not. LDAP schema is an Internet standard, SQL schema is not. Many products support LDAP authentication and management without the need for PAM or other middleware. Furthemore, LDAP is an electronic equivalent of Rolodex, much more suitable for managing people information than a relational database. And did I mention that many applications support it out of the box?
    
    Comments
    
    By Lars Hansson () lars@unet.net.ph on 2002-11-05 03:43 mailto:lars@unet.net.ph
    
    LDAP is a protocol, SQL is a languate.
    You're all comparing apples and oranges.
    It would be perfectly possible to create a LDAP server that uses postgresql, mysql or what-have-you as a backend. OpenLDAP uses berkeleydb as a backend.
    LDAP and SQL (or more correct relational databases) are not mutually exlusive but could, and often is, part of a bigger solution. You could, for example, have an LDAP server with a relational backend coupled with a kerberos server with an LDAP backend.
    
    SQL /is/ a standard btw.
By mra () on 2002-10-29 16:33

I've been interested in deploying an LDAP based auth system but everytime I find documentation on how to go about doing it always seems to say: "Get a RadHat box runnning OpenLDAP and FreeRADIUS."

Maybe it's just me, but I'd like to keep Linux, and RedHat even moreso, far away from my Authentication structure. There is a reason why I run OpenBSD :)

I was looking through the ports tree and saw two different RADIUS servers; lucent and cistron. Is there any reason why one should not be using these servers?
By Dichque () dichque@indiatimes.com on 2002-11-04 13:14 mailto:dichque@indiatimes.com

Am waiting for long time hoping obsd would include some kind of PAM support.

Any idea why the obsd guys decided not to go with PAM ??

Thanks for the link ..

dichque

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]