On 22:42 19 Dec 2003, Jay Daniels <jay@xxxxxxxxxxx> wrote: | On Sat, Dec 20, 2003 at 12:02:59AM +0100, Clemens von Musil wrote: | > I set up a server that provides /home for all users (mounted via nfs) | > and an ldap-server for authentication. | | The LDAP, Lightweight Directory Access Protocol, is an Internet protocol | that email programs use to look up contact information from a server, | such as ClickMail Central Directory. So, why use LDAP for | authentication? Because it's not UNIX specific (i.e. can also be used by other systems, thus giving a single user table in heterogeneous environments), and can present a great many user attributes beyond what /etc/password offers. | I thought the ldapd server served up addresses and names, how or why | does one authenticate users based on this info? Isn't this info | usually public as far as the organization is concerned? Yep. But nobody sane stores passwords in the clear anyway for serious purposes. Normally what you store is a hash value based on the password. When authenticating, you fetch the hash from the auth system (eg via getpwnam() or such), compute the hash from what the user types, and if the hashes match you decide the user typed the right thing. A strong hash function does not let you go backwards from a hash to an acceptable password string. | I just don't understand why you would use ldap for authentication? | Doesn't nfs have it's own authentication mechanism builtin? Nope. NFS generally uses the server OS's scheme, whatever that is. You can, via PAM, hook that scheme to an LDAP server or the usual UNIX files as you see fit. But between hosts the server generally just believes that the client is telling the truth about who they claim is accessing the files. Cheers, -- Cameron Simpson <cs@xxxxxxxxxx> DoD#743 http://www.cskk.ezoshosting.com/cs/ Let the bullet of your thought achieve the true and final path of its trajectory before it reaches the ear of the listener, lest it plow out the other side of his head. - Henry David Thoreau -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
