On Tue, Mar 05, 2002 at 09:50:07AM +0100, Soeren Schroeder wrote:
>
> >Perhaps I am missing something obvious? If someone has done this and can
> >point me in the right direction, it would be much appreciated.
>
> A workaround is installing ypldapd:
> http://www.padl.com/ldap-nis_gateway.html
> A nis server on top of ldap. Works like a charm !
> Then all your deamons works out of the box. We tried PAM LDAP and ditched it.

If you are worried about security, I would not recommend running NIS. The
combination of the FreeBSD integrated NIS client, together with pam_ldap.so
running over LDAP/SSL, may be a more acceptable solution in terms of security.

This way, the function which would normally be served by nss_ldap is served
instead by the FreeBSD ypbind and ypldapd. pam.conf and the LDAP backend ACLs
can be tightened so as to ensure password authentication only ever happens
over an SSL session. Client side certificates can be used if one wishes to
verify the identity of machines binding to a DN with privileges to do password
authentication, or SASL can be used with users binding to their own DN in
order to authenticate to each system.

BMS

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]