I've done some more testing of OpenLDAP, and have found that FreeBSD's lack of a flexible name switching service might be a significant limitation in LDAP's usefulness.
FreeBSD 4's limited PAM support presents additional problems. While a pam_ldap module does exist and can be used to authenticate most services, programs such as passwd(1) do not have PAM support, and cannot authenticate against or change password information in an LDAP directory.
FreeBSD 5 has somewhat better support for LDAP. passwd(1) has LDAP support, but there still is no name support for LDAP, so UIDs and GIDs cannot be mapped to usernames after authentication. What this means is that while LDAP can be used to login (authentication), it cannot be used to determine ownership of files (authorization).
These limitations could be worked around by creating a set of scripts to synchronize an NIS map with an LDAP directory, and have authorization functions go over NIS rather than LDAP. Since passwords are only required during authentication, no password information need be stored in the NIS map, which would significantly improve its security.
Red Hat Linux has complete support for LDAP. With the nss_ldap package from PADL, LDAP can be listed in the nsswitch.conf(5) file, in the same manner that NIS and other name lookup facilities are presently. Presumably other Linuxes, System V-based Unixes such as HP-UX, and commercial BSDs such as AIX have similar methods of adding LDAP support.
Posted by at April 06, 2003 03:40 PM, updated 08:31 PM April 06, 2003The export-to-NIS from LDAP is, indeed, the plan that we will be going with. We're currently doing something similar using /etc/passwd as the source (exporting a subset of accounts within SHANTI's password file). I have a prototype "ldap2nis" script working.
The one hitch about the password information is that Russell Calendar Manager still requires encrypted passwords in either the NIS map or the local password file -- it's not PAM-enabled. Until we have a new calendaring system for those people that use RCM, we need to keep at least some encrypted passwords in the NIS map.
Posted by: littejo on April 14, 2003 07:09 PM