Post by Clark Smith Post by Henrik Carlqvist Post by Clark Smith Post by K Venken
Would nss_ldap be a solution? Otherwise, NIS is still available.
Isn't that for authorization, rather than authentication? I was
under the impression that the NSS stuff (NIS being one of the backends
that NSS can use) kicks in after a given user has been successfully
NIS is able to serve a passwd map to NIS clients which will use that map
to authenticate users at login. Once logged in NIS is also able to serve
a group map to authorize the users to different unix groups.
I haven't used LDAP myself for these purposes but think that you can do
the same with LDAP.
You can definitely do that with LDAP - I did not know you could
also do it with NIS. Thanks.
I actually worked on a system that did somethilng like this with LDAP.
The user authenticated to the ldap server and got given back a token that
encoded a time-to-live and a bitfield that provided their authorisation
level (users could be 'status', 'user', 'admin', etc). The ldap
server was wrappered by some java technology and the exchange between
the linux system and the ldap server was by xml SOAP documents.
So the user sent a request soap doc with his id and credentials,
and got back a token that encoded the auth rights and a time-to-live;
after the TTL expires he has to renew the token.
However, we wrote a custom system on the linux machine that recognised the
tokens and performed the appropriate checks to facilitate user logins.
So this is certainly not a standard part of linux. But hopefully this gives
some idea of how such a system can work.
It can be a very powerful approach, in that a set of users can be managed
from a central ldap database, and their access to a large number of
machines controlled in this way; it's really what used to be called
"enterprise" level tech.
Gnd -|o----|- Vcc Hey computer, what's the weather in Sydney?
trig -| 555 |- dschrg $> finger o:***@graph.no|tail -1|espeak
o/p -| |- thrsh
rst -|-----|- cntrl Steve555