Return-Path: Delivered-To: apmail-infrastructure-dev-archive@locus.apache.org Received: (qmail 62731 invoked from network); 10 Jan 2009 12:44:57 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 10 Jan 2009 12:44:57 -0000 Received: (qmail 84964 invoked by uid 500); 10 Jan 2009 12:44:56 -0000 Delivered-To: apmail-infrastructure-dev-archive@apache.org Received: (qmail 84884 invoked by uid 500); 10 Jan 2009 12:44:56 -0000 Mailing-List: contact infrastructure-dev-help@apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: infrastructure-dev@apache.org Delivered-To: mailing list infrastructure-dev@apache.org Received: (qmail 84872 invoked by uid 99); 10 Jan 2009 12:44:56 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 10 Jan 2009 04:44:56 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of minfrin@sharp.fm designates 72.32.122.47 as permitted sender) Received: from [72.32.122.47] (HELO chandler.sharp.fm) (72.32.122.47) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 10 Jan 2009 12:44:47 +0000 Received: from chandler.sharp.fm (localhost [127.0.0.1]) by chandler.sharp.fm (Postfix) with ESMTP id 594D61300B3 for ; Sat, 10 Jan 2009 06:44:26 -0600 (CST) Received: from 87-194-125-14.bethere.co.uk (87-194-125-14.bethere.co.uk [87.194.125.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: minfrin@sharp.fm) by chandler.sharp.fm (Postfix) with ESMTP id 4A86B130047 for ; Sat, 10 Jan 2009 06:44:25 -0600 (CST) Message-ID: <49689827.5050102@sharp.fm> Date: Sat, 10 Jan 2009 14:44:23 +0200 From: Graham Leggett User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: infrastructure-dev@apache.org Subject: Re: ASF LDAP Project - Update References: <4967BF4E.6000108@pc-tony.com> <4967CB99.7020706@sharp.fm> <1231587856.6470.4.camel@kurtz> In-Reply-To: <1231587856.6470.4.camel@kurtz> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms090307020400010901040407" X-Virus-Scanned: ClamAV using ClamSMTP X-Virus-Checked: Checked by ClamAV on apache.org --------------ms090307020400010901040407 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Santiago Gala wrote: > I have my login in people.apache.org without a password, using only ssh > keys. There was a time when this was encouraged, and root would kill the > password access on demand. I would greatly prefer public keys to > password as much as I can, and I hope the LDAP change will not affect my > ability to not having a shell password, but only a .ssh/authorized_keys > file. The LDAP support won't affect this directly. With LDAP support, the information that would otherwise appear in /etc/passwd now is stored in LDAP, and that isn't just your password, but your username, the gecos field, your uid and gid, etc. The tricky bit may be the bit that stops password logins being possible, because the simple way of doing it - removing the password - also removes your ability to use the password against other LDAP services, like svn. I would imagine there is a way to configure PAM to say "if user is member of group | not member of group | has this attribute | whatever don't permit a login with a password", but that will have to be experimented with. Regards, Graham -- --------------ms090307020400010901040407 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJNTCC AvUwggJeoAMCAQICEE48SDZRMuwR+sMj0uPO8bgwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MTAxNDEzNDk1N1oX DTA5MTAxNDEzNDk1N1owXTEQMA4GA1UEBBMHTGVnZ2V0dDEPMA0GA1UEKhMGR3JhaGFtMRcw FQYDVQQDEw5HcmFoYW0gTGVnZ2V0dDEfMB0GCSqGSIb3DQEJARYQbWluZnJpbkBzaGFycC5m bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHdkReI2hOK03fWwKA9UqHcjwRQ /gdmAIB/96pznww4TROCiCG/ugLzo2/feBQSuY467jFMBNudlzY+65avbP9Utys/0pa9lcK7 7hjXKKhgqL/UBSmSLxHie8pCo+74tqoOBTEkKj/Dc37mugeA0tdG1tOGc3yg8JhxEITl/9Sr Qm5NElCFs3dLksCh+3S0IFANct13lRr7aYezqlsVu7HiQkSc3uWDGtRAIWouimjvpfaPuBl/ hZCzQiWmHoW++C5kO5cxuO9UluW3oxk8+tJmsIA+6pJTfSHH5RbVrEXSlbkscSZ+/TYMw7rr /Mo8iqTANqNpInUfVE5nMmdqN5ECAwEAAaMtMCswGwYDVR0RBBQwEoEQbWluZnJpbkBzaGFy cC5mbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBADfOsPAXQyOnuF1AM2p/elY6 7QVH1C7xQZTQ809jKVM7/44FaS7u5t3RhH3HpVd/qO0xkYTw9NBbQMFn8XoK2RAHs+phssXh Z9sKfDJYmQN8H2xglQG4oUcdypLiv4l/1FE7OCh8dqQ5aMFrbT+Qq9nr1WGxXCemp8+Y3wgI GFBCMIIC9TCCAl6gAwIBAgIQTjxINlEy7BH6wyPS487xuDANBgkqhkiG9w0BAQUFADBiMQsw CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDgxMDE0MTM0 OTU3WhcNMDkxMDE0MTM0OTU3WjBdMRAwDgYDVQQEEwdMZWdnZXR0MQ8wDQYDVQQqEwZHcmFo YW0xFzAVBgNVBAMTDkdyYWhhbSBMZWdnZXR0MR8wHQYJKoZIhvcNAQkBFhBtaW5mcmluQHNo YXJwLmZtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4d2RF4jaE4rTd9bAoD1S odyPBFD+B2YAgH/3qnOfDDhNE4KIIb+6AvOjb994FBK5jjruMUwE252XNj7rlq9s/1S3Kz/S lr2VwrvuGNcoqGCov9QFKZIvEeJ7ykKj7vi2qg4FMSQqP8Nzfua6B4DS10bW04ZzfKDwmHEQ hOX/1KtCbk0SUIWzd0uSwKH7dLQgUA1y3XeVGvtph7OqWxW7seJCRJze5YMa1EAhai6KaO+l 9o+4GX+FkLNCJaYehb74LmQ7lzG471SW5bejGTz60mawgD7qklN9IcflFtWsRdKVuSxxJn79 NgzDuuv8yjyKpMA2o2kidR9UTmcyZ2o3kQIDAQABoy0wKzAbBgNVHREEFDASgRBtaW5mcmlu QHNoYXJwLmZtMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAN86w8BdDI6e4XUAz an96VjrtBUfULvFBlNDzT2MpUzv/jgVpLu7m3dGEfcelV3+o7TGRhPD00FtAwWfxegrZEAez 6mGyxeFn2wp8MliZA3wfbGCVAbihRx3KkuK/iX/UUTs4KHx2pDlowWttP5Cr2evVYbFcJ6an z5jfCAgYUEIwggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoT EVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERp dmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG 9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcN MTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f 6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/Ef kTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7 AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRw Oi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8E BAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqG SIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQc UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bG CE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDZDCCA2ACAQEwdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEE48SDZRMuwR+sMj0uPO 8bgwCQYFKw4DAhoFAKCCAcMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMDkwMTEwMTI0NDIzWjAjBgkqhkiG9w0BCQQxFgQUoSnMGLiy44vycEm7udvshmKv pBQwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjEL MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAq BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBOPEg2UTLsEfrD I9LjzvG4MIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRo YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBG cmVlbWFpbCBJc3N1aW5nIENBAhBOPEg2UTLsEfrDI9LjzvG4MA0GCSqGSIb3DQEBAQUABIIB ANIFnqlsiqZf8iAaalf1E6rkLv987PpslN3PrJxtyrHhSbfa9v5mLxnslskVE40tCLjedj/1 P1pxeOrObhHIGtgmiHn0gVfII0sEdMATJ5e2+VxNJ1k8PeHBS+Wyb1S+NbdSUwj63+rhCBaF 1HNiE0fN4dl/3BP/H4WerJz7PNp2txbI/48vfPuyGL9oCFH4YSfpElvSBfbSGHx3Bb4ItXy8 Khv+Ks6lqbq40vLIw+yNEDM8OMw/8yQrC8LfudkoG8YqX5jQ1jhfRX6lRQq3lI7SO4536XoR O5VbieAVv34AGPXQKPIcOKr2EZh1jXjpOy97oWElyvZDO97oQC7P4NcAAAAAAAA= --------------ms090307020400010901040407--