[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Syncronized password management ...

The reason you state for not wanting to use existing centralization schemes
is network dependancies.  While this is certainly a valid concern, most
systems have addressed this by at least providing replication for the
service, so that servers can be placed at strategic points in your network
and provide a robust fallback mechanism.  While I believe NIS does this I
would recommend using LDAP as both your authentication and information
source.  (via pam-ldap & pam-nss).  The replication is done very well in
LDAP and the referral system works well for falling back to other servers.  

If your WHOLE network goes down or you can't reach ANY of your replicas
you've got far more serious problems than just being able to login to your
boxes.  You should always have root and a couple administrative logins which
ALWAYS reside in /etc/shadow for these situations anyway.

As you said, it is a daunting task, and one which isn't really warranted
given the resources already available.

Blake Barnett
Sr. Unix Administrator

-----Original Message-----
From: Lars Segerlund [mailto:lars.segerlund@comsys.se]
Sent: Tuesday, July 10, 2001 4:10 AM
To: pam-list@redhat.com
Subject: Syncronized password management ...


  I am about to start to hacka a pam module for uninfied password
management, which will handle users from a central server but update
local passwd and group files. Basicly I want to centralize user
management whitout building network dependency for the system. ( like
nis if it fails it fails ... )

  I will also handle password updates on a client 8 propagation ) ,
however before I set out on this daunting task, does anybody know of a
module which will give me this functionality ?

  Now I build central user databases, which I upload and then locally
mangle passwd and group ! this is done by secure remote login, but I
don't think this system safe enough.

  Any tips from anyone ? or usefull pam modules to spy on ? I have
checked out pam-ldap and pam-pwdfile and some other.

 / best regards, Lars Segerlund.

Pam-list mailing list

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []