[TriLUG] cvs CVSROOT/modules - LDAP

Mike M no-linux-support at earthlink.net
Thu Sep 9 11:06:54 EDT 2004


On Thu, Sep 09, 2004 at 08:52:18AM -0400, Mark Turner wrote:
> Mike M wrote:
> 
> >IANAA (I am not an admin :) but isn't LDAP the tool for centrally
> >managing authorization for many users with many accounts on many machines? 
> >I wasn't aware that LDAP somehow eliminated the need for making
> >many accounts on many machines for many users.
> 
> Using LDAP, you could manage accounts and mounts through the directory, 
> completely eliminating the need to create accounts on several machines.

That disturbs me. Primarly because this concept rattles my world view.
I have a vague understanding of user and permission in the first place.

Let's see if I can noodle what you are tell us.

When you log in a UID is created and you have permissions.  In
the "box is world" view, the box stores information about valid
users.  LDAP centralizes and globalizes authentication so that a
box can allow an infinite number of users - theoretically speaking.
> 
> AFAIK, pserver is too dumb to use LDAP, so you're still stuck with SSH. 

pserver being too dumb to use LDAP is not surprising.  It seems that
it has been abandoned by serious folk except as an anonynous read-only
server.

ssh is surely LDAP aware.

Maybe the test should be this:

 $ cvs -f :ext:your_ldap_existence at cvs_server:/var/cvs_rep co module

There are setups that underlie the correct operation.  In a Debian
machine the magic is automatic at install time.  On old RH boxes
there are some environment vars that force ssh usage instead of rsh
usage.

> However, using ssh-keyagent can reduce the number of times you must type 
> a password to one.

Keyagents are security compromises to the truly paranoid.  If you
walk away from you machine you've enabled an unauthorized person to
access the secure area using your machine.

-- 
Mike

Moving forward in pushing back the envelope of the corporate paradigm.



More information about the TriLUG mailing list