Hi Petter, On Sat, Aug 23, 2003 at 06:14:48PM +0200, Petter Reinholdtsen wrote: > [Steve Langasek] > > - At a later date, it will be possible to support tools for > > debconf-based management of the authentication subsystem so that > > administrators can seamlessly integrate workstations into (e.g.) > > Kerberos, LDAP, or Windows NT authentication realms. No work has > > been done yet to develop these tools, and they are unlikely to be > > ready in time for sarge; but this is a realistic goal for sarge+1, > > or for customized installers based on sarge. > Skolelinux is currently setting up LDAP at install time, and would > love to have a more standardized way to do it. At the moment, we just > replace the files in /etc/pam.d/, and edit /etc/nsswitch.conf, > /etc/pam_ldap.conf and /etc/libnss-ldap.conf. > Is there anything we can do to assist the progress of the system to > automatically set up LDAP/NIS/whatever at install time? We would love > to be able to do this in a policy-compliant way. :) I'm fairly certain that neither Sam nor I would have the time to work on this piece ourselves before sarge's release, but if you're able to prepare a suitable tool for managing authentication choices, it's possible it could still be considered for inclusion in sarge. Such a tool would need an interface for new authentication modules to register themselves; it would need to allow the administrator to opt for at least minimal module stacking (LDAP w/ fallback to pam_unix, for example); and it would need to understand how to manage /etc/pam.d/common-auth, /etc/pam.d/common-account, and /etc/pam.d/other. Technically, to be policy-compliant, the config-writing portion of this tool must also be part of the libpam-runtime package. For an added bonus, the tool can be called by the name 'authconfig', which is the name Red Hat uses for their system. I believe Sam has some other goals for this tool, specifically relating to Kerberos/AFS support; I'll let him speak for himself on those. If I can provide any input that would help someone work on implementing this, please let me know. -- Steve Langasek postmodern programmer
Attachment:
pgp00046.pgp
Description: PGP signature