Linux Administration - Users in (any) database howto/why...
kitepilot at kitepilot.com
kitepilot at kitepilot.com
Thu Jan 1 09:24:25 MST 2009
I think that LDAP is overkill for my application.
My users will authenticate only in/for one server, and probably to either
update a WEB site or drop/retrieve e-mail.
Some users may have WEB sites, some users may have e-mail, some users may be
signed up in the wireless network, and some users may have any combination
of those services, but those details can be easily stored at the database
level.
Even if I split some functionality among various servers.
I hope... :)
Thanks!
Enrique
PS: LDAP stuff:
http://www.ucalgary.ca/it/directories/identity/ldap-pam
Joe writes:
> That is a great question. First, let me say I don't have an answer. The
> reason I'm responding is that Postgres scares me. The reason it scares
> me is that I have had a number of times when upgrading postgres, the DB
> files were not compatible with the older version and it wasn't till
> after the upgrade that I found out. Make sure that if you do use
> postgres, that you plan to export the DB's to load files so that if you
> do hit the upgrade issue you have a way to reload the DB.
>
> I have tried using ldap a number of times for what you are asking and
> have not been successful. I tried Fedora Directory Server and it still
> is a complex setup. I still think ldap would be the way to go, but the
> management tools for ldap leave a bit to be desired. Also the initial
> setup has a steep learning curve.
>
> My other issue with a central auth mechanism is that I want the user
> id's and passwords to be secure going to the backend. I didn't want
> wireshark to be able to pick up the credentials. Also, what happens when
> the DB goes down? No one will be able to auth.
>
> Another problem I ran up against was having the DB admin ID/password
> located on each client. At least the shadow file protected the passwords
> from normal user access. I do think ldap solves this issue, but
> configuring the ACL's is not a trivial task.
>
> Again, a great question and I look forward to hear what others have done.
>
> kitepilot at kitepilot.com wrote:
>> OK, I've reached that (long postponed) point of my life where I *HAVE* to
>> ditch /etc/passwd and /etc/group in favor of storing my users in a database.
>> Any database...
>>
>> Unless there is a *COMPELLING* reason not to, I will store my users in
>> Postgres, but I don't see why generic concepts should not be applied to
>> *ANY* database.
>>
>> All I find in the howto's is how to install (laundry list here), but what I
>> need is a fairly general cookbook about how-to-configure-what to allow my
>> machine to validate users contained in my database.
>> Most of this howto's are useless to my because I run LFS and it right there
>> voids any reference to apt-get/yum/rpm/etc.
>>
>> Furthermore, I want to login with my trusted /etc/passwd - /etc/group
>> combination when I SSH into (or console) into my machine and I want the
>> "other" users (people hosting WEB sites and/or receiving e-mail) be
>> authenticated against the Postgres table.
>>
>> So the final question is:
>> What do I need?
>> specifically, do I need PAM? (Probably...)
>> What do I configure?
>>
>> I don't need too many details, I just need something along the lines of:
>> You need this list of packages and you need to edit this configuration files
>> to accomplish (fill in the blanks)
>> Lisa? :)
>> HAPPY NEW YEAR!!!
>> Enrique
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
More information about the PLUG-discuss
mailing list