www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: ASF LDAP Project - Update
Date Sat, 10 Jan 2009 12:44:23 GMT
Santiago Gala wrote:

> I have my login in people.apache.org without a password, using only ssh
> keys. There was a time when this was encouraged, and root would kill the
> password access on demand. I would greatly prefer public keys to
> password as much as I can, and I hope the LDAP change will not affect my
> ability to not having a shell password, but only a .ssh/authorized_keys
> file.

The LDAP support won't affect this directly.

With LDAP support, the information that would otherwise appear in 
/etc/passwd now is stored in LDAP, and that isn't just your password, 
but your username, the gecos field, your uid and gid, etc.

The tricky bit may be the bit that stops password logins being possible, 
because the simple way of doing it - removing the password - also 
removes your ability to use the password against other LDAP services, 
like svn.

I would imagine there is a way to configure PAM to say "if user is 
member of group | not member of group | has this attribute | whatever 
don't permit a login with a password", but that will have to be 
experimented with.

Regards,
Graham

--

Mime
View raw message