Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   Do I need separate directory instances for Linux authentication and (for example) IMAP authentication? (http://www.linux-archive.org/fedora-directory/694662-do-i-need-separate-directory-instances-linux-authentication-example-imap-authentication.html)

Ray 08-16-2012 04:33 PM

Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?
 
Hi,

I posted this before without getting a response. I think the question
is super simple to answer for LDAP experts. I'll try to rephrase the
quiestion (in case it was unclear before…)


I've geen googling quite a while on this topic trying all sorts of
keyword combinations and found exactly nothing.


LDAP appears to be commonplace, almost every server software I can
think of comes with an LDAP authentication module. The services that use
the directory may need have different user bases (i.e. not every Linux
user needs to be an IMAP user also and not every IMAP user should
automatically be able to SSH into servers).


What is the right way to achieve the above?:

1) Have separate LDAP instances running, one for IMAP, the other one
for Linux authentication. As there are some users that need both IMAP
and Linux access, some users would need to be set up twice.


2) Have all users in one LDAP instance, and have different sets of
attributes for IMAP and Linux authentication. Those users with IMAP
access have their IMAP attributes filled in and those with Linux logins
have their posix account settings filled with values. Some would have
both. I do not see how to assign different passwords for the two
services for this option. Is there a way?


Are there any other options?


Cheers,
Ray


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Stephen Ingram 08-16-2012 05:03 PM

Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?
 
On Thu, Aug 16, 2012 at 9:33 AM, Ray <ray@renegade.zapto.org> wrote:
> Hi,
>
> I posted this before without getting a response. I think the question is
> super simple to answer for LDAP experts. I'll try to rephrase the quiestion
> (in case it was unclear before…)
>
> I've geen googling quite a while on this topic trying all sorts of keyword
> combinations and found exactly nothing.
>
> LDAP appears to be commonplace, almost every server software I can think of
> comes with an LDAP authentication module. The services that use the
> directory may need have different user bases (i.e. not every Linux user
> needs to be an IMAP user also and not every IMAP user should automatically
> be able to SSH into servers).
>
> What is the right way to achieve the above?:
>
> 1) Have separate LDAP instances running, one for IMAP, the other one for
> Linux authentication. As there are some users that need both IMAP and Linux
> access, some users would need to be set up twice.
>
> 2) Have all users in one LDAP instance, and have different sets of
> attributes for IMAP and Linux authentication. Those users with IMAP access
> have their IMAP attributes filled in and those with Linux logins have their
> posix account settings filled with values. Some would have both. I do not
> see how to assign different passwords for the two services for this option.
> Is there a way?
>
> Are there any other options?

Generally the whole purpose of using a directory server (LDAP) is to
benefit from centralized and consistent configuration and
authentication. As such, most setups use the same user base for
everything (in your case IMAP access and shell logins). You just need
to point each service (login and IMAP) to your directory and filter
based on the existence of certain attributes. For example, only users
with the objectclass=mailRecipient would be allowed to login to your
IMAP mail store. This can easily be accomplished through the
authentication system of your IMAP software (one that supports LDAP
authentication).

Steve
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Ray 08-16-2012 05:27 PM

Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?
 
Am 16.08.2012 19:03, schrieb Stephen Ingram:

On Thu, Aug 16, 2012 at 9:33 AM, Ray <ray@renegade.zapto.org> wrote:

Hi,

I posted this before without getting a response. I think the
question is
super simple to answer for LDAP experts. I'll try to rephrase the
quiestion

(in case it was unclear before…)

I've geen googling quite a while on this topic trying all sorts of
keyword

combinations and found exactly nothing.

LDAP appears to be commonplace, almost every server software I can
think of

comes with an LDAP authentication module. The services that use the
directory may need have different user bases (i.e. not every Linux
user
needs to be an IMAP user also and not every IMAP user should
automatically

be able to SSH into servers).

What is the right way to achieve the above?:

1) Have separate LDAP instances running, one for IMAP, the other one
for
Linux authentication. As there are some users that need both IMAP
and Linux

access, some users would need to be set up twice.

2) Have all users in one LDAP instance, and have different sets of
attributes for IMAP and Linux authentication. Those users with IMAP
access
have their IMAP attributes filled in and those with Linux logins
have their
posix account settings filled with values. Some would have both. I
do not
see how to assign different passwords for the two services for this
option.

Is there a way?

Are there any other options?


Generally the whole purpose of using a directory server (LDAP) is to
benefit from centralized and consistent configuration and
authentication. As such, most setups use the same user base for
everything (in your case IMAP access and shell logins). You just need
to point each service (login and IMAP) to your directory and filter
based on the existence of certain attributes. For example, only users
with the objectclass=mailRecipient would be allowed to login to your
IMAP mail store. This can easily be accomplished through the
authentication system of your IMAP software (one that supports LDAP
authentication).

Steve


Many thanks for these insights, Steve!

There are two more questions I have:

* Is mailRecipient defined somewhere (schema?) or are these
objectClasses free for me to choose?


* Is there a way to have separate passwords for IMAP? Specifically I
would like to run Cyrus-imap.


Cheers,
Ray

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Stephen Ingram 08-16-2012 06:16 PM

Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?
 
On Thu, Aug 16, 2012 at 10:27 AM, Ray <ray@renegade.zapto.org> wrote:
> Am 16.08.2012 19:03, schrieb Stephen Ingram:
>
>> On Thu, Aug 16, 2012 at 9:33 AM, Ray <ray@renegade.zapto.org> wrote:
>>>
>>> Hi,
>>>
>>> I posted this before without getting a response. I think the question is
>>> super simple to answer for LDAP experts. I'll try to rephrase the
>>> quiestion
>>> (in case it was unclear before…)
>>>
>>> I've geen googling quite a while on this topic trying all sorts of
>>> keyword
>>> combinations and found exactly nothing.
>>>
>>> LDAP appears to be commonplace, almost every server software I can think
>>> of
>>> comes with an LDAP authentication module. The services that use the
>>> directory may need have different user bases (i.e. not every Linux user
>>> needs to be an IMAP user also and not every IMAP user should
>>> automatically
>>> be able to SSH into servers).
>>>
>>> What is the right way to achieve the above?:
>>>
>>> 1) Have separate LDAP instances running, one for IMAP, the other one for
>>> Linux authentication. As there are some users that need both IMAP and
>>> Linux
>>> access, some users would need to be set up twice.
>>>
>>> 2) Have all users in one LDAP instance, and have different sets of
>>> attributes for IMAP and Linux authentication. Those users with IMAP
>>> access
>>> have their IMAP attributes filled in and those with Linux logins have
>>> their
>>> posix account settings filled with values. Some would have both. I do not
>>> see how to assign different passwords for the two services for this
>>> option.
>>> Is there a way?
>>>
>>> Are there any other options?
>>
>>
>> Generally the whole purpose of using a directory server (LDAP) is to
>> benefit from centralized and consistent configuration and
>> authentication. As such, most setups use the same user base for
>> everything (in your case IMAP access and shell logins). You just need
>> to point each service (login and IMAP) to your directory and filter
>> based on the existence of certain attributes. For example, only users
>> with the objectclass=mailRecipient would be allowed to login to your
>> IMAP mail store. This can easily be accomplished through the
>> authentication system of your IMAP software (one that supports LDAP
>> authentication).
>>
>> Steve
>
>
> Many thanks for these insights, Steve!
>
> There are two more questions I have:
>
> * Is mailRecipient defined somewhere (schema?) or are these objectClasses
> free for me to choose?

mailRecipient is already defined as part of the old Netscape mail
server schemas. I'm not sure if it's included in the default 389ds or
not. Ultimately, you can roll your own schemas, however, it not always
an easy task, and, thus many times easier to use an already available
schema.

> * Is there a way to have separate passwords for IMAP? Specifically I would
> like to run Cyrus-imap.

No, there can only be one userpassword attribute. Out of curiosity,
why would you want your users to have to use different passwords for
each service? That sort of disposes of the whole idea of using LDAP
auth to begin with. And, yes, Cyrus-IMAP works perfectly with LDAP
authentication.

Steve
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 08-16-2012 07:09 PM

Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?
 
On 08/16/2012 10:33 AM, Ray wrote:

Hi,

I posted this before without getting a response. I think the question
is super simple to answer for LDAP experts. I'll try to rephrase the
quiestion (in case it was unclear before…)


I've geen googling quite a while on this topic trying all sorts of
keyword combinations and found exactly nothing.


LDAP appears to be commonplace, almost every server software I can
think of comes with an LDAP authentication module. The services that
use the directory may need have different user bases (i.e. not every
Linux user needs to be an IMAP user also and not every IMAP user
should automatically be able to SSH into servers).


What is the right way to achieve the above?:

1) Have separate LDAP instances running, one for IMAP, the other one
for Linux authentication. As there are some users that need both IMAP
and Linux access, some users would need to be set up twice.


2) Have all users in one LDAP instance, and have different sets of
attributes for IMAP and Linux authentication. Those users with IMAP
access have their IMAP attributes filled in and those with Linux
logins have their posix account settings filled with values. Some
would have both.


This is the usual way to handle this.

I do not see how to assign different passwords for the two services
for this option.


Why do you need different passwords?


Is there a way?

Are there any other options?


Cheers,
Ray


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Ray 08-17-2012 06:27 AM

Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?
 
Am 16.08.2012 20:16, schrieb Stephen Ingram:

On Thu, Aug 16, 2012 at 10:27 AM, Ray <ray@renegade.zapto.org> wrote:

Am 16.08.2012 19:03, schrieb Stephen Ingram:

On Thu, Aug 16, 2012 at 9:33 AM, Ray <ray@renegade.zapto.org>
wrote:


Hi,

I posted this before without getting a response. I think the
question is

super simple to answer for LDAP experts. I'll try to rephrase the
quiestion
(in case it was unclear before…)

I've geen googling quite a while on this topic trying all sorts of
keyword
combinations and found exactly nothing.

LDAP appears to be commonplace, almost every server software I can
think

of
comes with an LDAP authentication module. The services that use
the
directory may need have different user bases (i.e. not every Linux
user

needs to be an IMAP user also and not every IMAP user should
automatically
be able to SSH into servers).

What is the right way to achieve the above?:

1) Have separate LDAP instances running, one for IMAP, the other
one for
Linux authentication. As there are some users that need both IMAP
and

Linux
access, some users would need to be set up twice.

2) Have all users in one LDAP instance, and have different sets of
attributes for IMAP and Linux authentication. Those users with
IMAP

access
have their IMAP attributes filled in and those with Linux logins
have

their
posix account settings filled with values. Some would have both. I
do not
see how to assign different passwords for the two services for
this

option.
Is there a way?

Are there any other options?



Generally the whole purpose of using a directory server (LDAP) is
to

benefit from centralized and consistent configuration and
authentication. As such, most setups use the same user base for
everything (in your case IMAP access and shell logins). You just
need

to point each service (login and IMAP) to your directory and filter
based on the existence of certain attributes. For example, only
users
with the objectclass=mailRecipient would be allowed to login to
your

IMAP mail store. This can easily be accomplished through the
authentication system of your IMAP software (one that supports LDAP
authentication).

Steve



Many thanks for these insights, Steve!

There are two more questions I have:

* Is mailRecipient defined somewhere (schema?) or are these
objectClasses

free for me to choose?


mailRecipient is already defined as part of the old Netscape mail
server schemas. I'm not sure if it's included in the default 389ds or
not. Ultimately, you can roll your own schemas, however, it not
always

an easy task, and, thus many times easier to use an already available
schema.


Ok, I see. Rich: also thanks for your reply on this.

* Is there a way to have separate passwords for IMAP? Specifically I
would

like to run Cyrus-imap.


No, there can only be one userpassword attribute. Out of curiosity,
why would you want your users to have to use different passwords for
each service? That sort of disposes of the whole idea of using LDAP
auth to begin with. And, yes, Cyrus-IMAP works perfectly with LDAP
authentication.


Steve & Rich:

I prefer different passwords because of security concerns: If a user
(with both IMAP and SSH access) hacks his/her mail password into a
comprimised box (keylogger, for instance, internet café…), then the
expected damage would be limited to the mail account only. If the same
password works for SSH also, then it's possible to screw up all files of
that user; worse even, if there is some rights-elevation bug around at
the time - then the entire box might be at risk.


Getting a second set of userpassword attributes then either would
require me to run a second instance, or I would have to resort to the
likes of sasldb for the mail side of things…


Would there be a way to patch some schema file with an extra password
attribute ("mailuserpassword")? I have absolutely no clue about schema
writing though… is there something you can recommend me to read (book,
website, …) on this topic?


Cheers,
Ray
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Grzegorz Dwornicki 08-17-2012 06:59 AM

Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?
 
Look in red hat docs. There you can find a lot of advices on schema writing. But writing a schema is one thing but app to use it is another issue.


Greg.


Send from htc desire z

17-08-2012 08:27, "Ray" <ray@renegade.zapto.org> napisał(a):
Am 16.08.2012 20:16, schrieb Stephen Ingram:


On Thu, Aug 16, 2012 at 10:27 AM, Ray <ray@renegade.zapto.org> wrote:


Am 16.08.2012 19:03, schrieb Stephen Ingram:




On Thu, Aug 16, 2012 at 9:33 AM, Ray <ray@renegade.zapto.org> wrote:




Hi,



I posted this before without getting a response. I think the question is

super simple to answer for LDAP experts. I'll try to rephrase the

quiestion

(in case it was unclear before…)



I've geen googling quite a while on this topic trying all sorts of

keyword

combinations and found exactly nothing.



LDAP appears to be commonplace, almost every server software I can think

of

comes with an LDAP authentication module. The services that use the

directory may need have different user bases (i.e. not every Linux user

needs to be an IMAP user also and not every IMAP user should

automatically

be able to SSH into servers).



What is the right way to achieve the above?:



1) Have separate LDAP instances running, one for IMAP, the other one for

Linux authentication. As there are some users that need both IMAP and

Linux

access, some users would need to be set up twice.



2) Have all users in one LDAP instance, and have different sets of

attributes for IMAP and Linux authentication. Those users with IMAP

access

have their IMAP attributes filled in and those with Linux logins have

their

posix account settings filled with values. Some would have both. I do not

see how to assign different passwords for the two services for this

option.

Is there a way?



Are there any other options?






Generally the whole purpose of using a directory server (LDAP) is to

benefit from centralized and consistent configuration and

authentication. As such, most setups use the same user base for

everything (in your case IMAP access and shell logins). You just need

to point each service (login and IMAP) to your directory and filter

based on the existence of certain attributes. For example, only users

with the objectclass=mailRecipient would be allowed to login to your

IMAP mail store. This can easily be accomplished through the

authentication system of your IMAP software (one that supports LDAP

authentication).



Steve






Many thanks for these insights, Steve!



There are two more questions I have:



* Is mailRecipient defined somewhere (schema?) or are these objectClasses

free for me to choose?




mailRecipient is already defined as part of the old Netscape mail

server schemas. I'm not sure if it's included in the default 389ds or

not. Ultimately, you can roll your own schemas, however, it not always

an easy task, and, thus many times easier to use an already available

schema.




Ok, I see. Rich: also thanks for your reply on this.




* Is there a way to have separate passwords for IMAP? Specifically I would

like to run Cyrus-imap.




No, there can only be one userpassword attribute. Out of curiosity,

why would you want your users to have to use different passwords for

each service? That sort of disposes of the whole idea of using LDAP

auth to begin with. And, yes, Cyrus-IMAP works perfectly with LDAP

authentication.




Steve & Rich:



I prefer different passwords because of security concerns: If a user (with both IMAP and SSH access) hacks his/her mail password into a comprimised box (keylogger, for instance, internet café…), then the expected damage would be limited to the mail account only. If the same password works for SSH also, then it's possible to screw up all files of that user; worse even, if there is some rights-elevation bug around at the time - then the entire box might be at risk.




Getting a second set of userpassword attributes then either would require me to run a second instance, or I would have to resort to the likes of sasldb for the mail side of things…



Would there be a way to patch some schema file with an extra password attribute ("mailuserpassword")? I have absolutely no clue about schema writing though… is there something you can recommend me to read (book, website, …) on this topic?




Cheers,

Ray

--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Josh Ellsworth 08-17-2012 02:12 PM

Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?
 
Are you intending to somehow prevent these passwords from being identical? I'm sure that your users believe they have more important things to do other than tracking that many unique passwords.

It's not going to improve security if they keep their passwords on a sticky note on their laptop.

Josh

--
Joshua Ellsworth
Senior Systems Administrator, Primatics Financial
Phone: 571.765.7528
jellsworth@primaticsfinancial.com




Steve & Rich:

I prefer different passwords because of security concerns: If a user (with both IMAP and SSH access) hacks his/her mail password into a comprimised box (keylogger, for instance, internet café…), then the expected damage would be limited to the mail account only. If the same password works for SSH also, then it's possible to screw up all files of that user; worse even, if there is some rights-elevation bug around at the time - then the entire box might be at risk.

Getting a second set of userpassword attributes then either would require me to run a second instance, or I would have to resort to the likes of sasldb for the mail side of things…

Would there be a way to patch some schema file with an extra password attribute ("mailuserpassword")? I have absolutely no clue about schema writing though… is there something you can recommend me to read (book, website, …) on this topic?

Cheers,
Ray
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 08-17-2012 02:40 PM

Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?
 
On 08/17/2012 12:27 AM, Ray wrote:

Am 16.08.2012 20:16, schrieb Stephen Ingram:

On Thu, Aug 16, 2012 at 10:27 AM, Ray <ray@renegade.zapto.org> wrote:

Am 16.08.2012 19:03, schrieb Stephen Ingram:


On Thu, Aug 16, 2012 at 9:33 AM, Ray <ray@renegade.zapto.org> wrote:


Hi,

I posted this before without getting a response. I think the
question is

super simple to answer for LDAP experts. I'll try to rephrase the
quiestion
(in case it was unclear before…)

I've geen googling quite a while on this topic trying all sorts of
keyword
combinations and found exactly nothing.

LDAP appears to be commonplace, almost every server software I can
think

of
comes with an LDAP authentication module. The services that use the
directory may need have different user bases (i.e. not every Linux
user

needs to be an IMAP user also and not every IMAP user should
automatically
be able to SSH into servers).

What is the right way to achieve the above?:

1) Have separate LDAP instances running, one for IMAP, the other
one for

Linux authentication. As there are some users that need both IMAP and
Linux
access, some users would need to be set up twice.

2) Have all users in one LDAP instance, and have different sets of
attributes for IMAP and Linux authentication. Those users with IMAP
access
have their IMAP attributes filled in and those with Linux logins have
their
posix account settings filled with values. Some would have both. I
do not

see how to assign different passwords for the two services for this
option.
Is there a way?

Are there any other options?



Generally the whole purpose of using a directory server (LDAP) is to
benefit from centralized and consistent configuration and
authentication. As such, most setups use the same user base for
everything (in your case IMAP access and shell logins). You just need
to point each service (login and IMAP) to your directory and filter
based on the existence of certain attributes. For example, only users
with the objectclass=mailRecipient would be allowed to login to your
IMAP mail store. This can easily be accomplished through the
authentication system of your IMAP software (one that supports LDAP
authentication).

Steve



Many thanks for these insights, Steve!

There are two more questions I have:

* Is mailRecipient defined somewhere (schema?) or are these
objectClasses

free for me to choose?


mailRecipient is already defined as part of the old Netscape mail
server schemas. I'm not sure if it's included in the default 389ds or
not. Ultimately, you can roll your own schemas, however, it not always
an easy task, and, thus many times easier to use an already available
schema.


Ok, I see. Rich: also thanks for your reply on this.

* Is there a way to have separate passwords for IMAP? Specifically I
would

like to run Cyrus-imap.


No, there can only be one userpassword attribute. Out of curiosity,
why would you want your users to have to use different passwords for
each service? That sort of disposes of the whole idea of using LDAP
auth to begin with. And, yes, Cyrus-IMAP works perfectly with LDAP
authentication.


Steve & Rich:

I prefer different passwords because of security concerns: If a user
(with both IMAP and SSH access) hacks his/her mail password into a
comprimised box (keylogger, for instance, internet café…), then the
expected damage would be limited to the mail account only. If the same
password works for SSH also, then it's possible to screw up all files
of that user; worse even, if there is some rights-elevation bug around
at the time - then the entire box might be at risk.


Getting a second set of userpassword attributes then either would
require me to run a second instance, or I would have to resort to the
likes of sasldb for the mail side of things…


Would there be a way to patch some schema file with an extra password
attribute ("mailuserpassword")? I have absolutely no clue about schema
writing though… is there something you can recommend me to read (book,
website, …) on this topic?


You could use your own attribute. But how will the application know how
to use it? You cannot use it with an LDAP BIND request since that only
knows about the userPassword attribute. So your application would have
to deal with hashing, comparison, etc. in a secure way. If you really
want to go this route, take a look at the schema file 05rfc4524.ldif -
the simpleSecurityObject objectclass. You would do something similar
e.g. create your custom password attribute (by copying/altering the
definition of the userPassword attribute), then create your custom
SecurityObject objectclass based on copying/altering
simpleSecurityObject. Then you would use ldapmodify to add your custom
objectclass to every entry that needs it.




Cheers,
Ray
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

"Morris, Patrick" 08-17-2012 08:39 PM

Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?
 
> On 08/17/2012 12:27 AM, Ray wrote:
> > Steve & Rich:
> >
> > I prefer different passwords because of security concerns: If a user
> > (with both IMAP and SSH access) hacks his/her mail password into a
> > comprimised box (keylogger, for instance, internet café…), then the
> > expected damage would be limited to the mail account only. If the
> same
> > password works for SSH also, then it's possible to screw up all files
> > of that user; worse even, if there is some rights-elevation bug
> around
> > at the time - then the entire box might be at risk.
> >
> > Getting a second set of userpassword attributes then either would
> > require me to run a second instance, or I would have to resort to the
> > likes of sasldb for the mail side of things…
> >
> > Would there be a way to patch some schema file with an extra password
> > attribute ("mailuserpassword")? I have absolutely no clue about
> schema
> > writing though… is there something you can recommend me to read
> (book,
> > website, …) on this topic?
>
> You could use your own attribute. But how will the application know
> how to use it? You cannot use it with an LDAP BIND request since that
> only knows about the userPassword attribute. So your application would
> have to deal with hashing, comparison, etc. in a secure way. If you
> really want to go this route, take a look at the schema file
> 05rfc4524.ldif - the simpleSecurityObject objectclass. You would do
> something similar e.g. create your custom password attribute (by
> copying/altering the definition of the userPassword attribute), then
> create your custom SecurityObject objectclass based on copying/altering
> simpleSecurityObject. Then you would use ldapmodify to add your custom
> objectclass to every entry that needs it.


Another simple solution here, if you're concerned enough about security to consider setting up something this convoluted, would be to stop accepting passphrases as valid authentication for SSH sessions.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 06:59 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.