[tech] manbo, ldap, stuff

James Andrewartha trs80 at ucc.gu.uwa.edu.au
Tue Feb 20 16:28:51 WST 2007 

On Tue, 20 Feb 2007, Matt Johnston wrote:

> On Tue, Feb 20, 2007 at 03:50:20PM +0900, James Andrewartha wrote:
>> Alternatively, we could put dropbear on a different port and people who
>> wanted public-key authentication could use that, or Matt could add LDAP
>> auth directly to dropbear and we could turn off Sun's sshd ;-) See
>> http://opensolaris.org/jive/thread.jspa?threadID=614&tstart=0 for details
>> on the SSH problem.
>
> I assume we'd need to use PAM? PAM is awful for network apps that use a 
> single event loop, since the conversation function is expected to be a 
> callback that can write questions directly to the user (or similar). 
> Nothing implements the proposed asynch conversation function extension. 
> I'm not touching that.

No, the Solaris pam_ldap is the problem here - I'm talking about linking
directly against libldap and binding yourself. It wouldn't be much code,
just calling ldap_open(3) then checking the result of ldap_bind_s(3).

>> Ultimately it depends on what the goals for LDAP are - one password to
>> rule them all, or just conversion to a more modern and secure
>> authentication scheme. If it's the latter and people are ok with having
>> the Windows/Unix password split, then none of the above hackery is
>> necessary. Please respond with your thoughts on the matter.
>
> Noone ever changes their passwords at UCC afaik, except when
> we they're forgotten or wheel people run John and lock
> accounts for shoddy passwords. Maybe just a secure.ucc webpage
> for changing passwords would be simplest?

Sure, if someone else wants to write it. At least with LDAP it will be 
easy for wheel members to set passwords instead of editing 
/var/yp/src/passwd and so on.

> Maybe we should try integrate pw checking into the account creation 
> script too.

cpu-ldap (which is what the user creation script uses) is linked with
cracklib on Debian and will check the strength of the password, although I 
haven't actually tested it.

> Personally I think pubkey auth is more useful than easily changed 
> passwords from everywhere.

Yeah, that's why I haven't just gone with OpenLDAP. But if we can do both ...

-- 
# TRS-80              trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \
# UCC Wheel Member     http://trs80.ucc.asn.au/ #|  what squirrels do best     |
[ "There's nobody getting rich writing          ]|  -- Collect and hide your   |
[  software that I know of" -- Bill Gates, 1980 ]\  nuts." -- Acid Reflux #231 /

More information about the tech mailing list