Re: An LDAP authentication howto for Debian?
quote who=Sami Haahtinen the biggest case imho is understanding LDAP, LDIF and the permissions in the database.. then it's just a matter of adding the correct objectclass and filling in the blanks.. Indeed - best place to learn about this is in the book, Understanding and Deploying LDAP Directory Services by Howes, Smith and Good. Not only does it give a thorough theoretical overview, there are a number of case studies at the back. Good stuff. :) - Jeff -- ASCII stupid question, get a stupid ANSI. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Apache and multiple virtual domains
Hi! However, PHP is still run under the webserver's UID, correct? The only workaround is the run PHP in cgi version...? Yes. You need the CGI version I think Because you need to use the suEXEC wrapper, which is bit SUID, to execute programs under other UIDs (not nobody or httpd) hope it helps. cheers marcelo gulin Jason - Original Message - From: Marcelo Gulin [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, April 28, 2001 6:13 PM Subject: RE: Apache and multiple virtual domains Hi! You can use suEXEC mechanism to do that job. suEXEC wrapper allow run CGI SSI under different UIDs cheers marcelo gulin - Original Message - From: Marcel Hicking [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 27, 2001 3:44 AM Subject: Re: Apache and multiple virtual domains What I want to do is have multiple virtual hosts with each virtual host having a different UID for running CGI-BIN scripts. http://cgiwrap.unixtools.org/ CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server. Scripts are run with the permissions of the user who owns the script. In addition, several security checks are performed on the script, which will not be executed if any checks fail. Since scripts uploaded via FTP will be owned by your customers UID, they should then run under his UID. I am not sure, however, if you could get the whole apache subprocess to be run under a different UID this way, but then I am not sure if this would give additional security or other advantages. BTW. I've seen some descriptions on how to set up CGIwrap transparently so your customers whouldn't even notice CGIwrap is running. Something with setting up a handler for file extensions. Maybecheck the tips and tricks page http://cgiwrap.unixtools.org/tricks.html on this as well as for some nice mod_rewrite rules ;-) Cheers, Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] http://www.zentek-international.com http://hk.zentek-international.com http://us.zentek-international.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
I wrote a howto about 6 months back. It was tricky setting up but I think I cover most of the potential disaster areas in my howto. http://www.imaginator.com/~simon/ldap/ S. Jeremy L. Gaddis wrote: Out of curiousity, has anyone come across a sort of LDAP authentication howto for Debian? I've been pondering the idea of using a central LDAP database for authentication for awhile now, but I'm sort of lost after installing the necessary PAM stuff. Thanks. -jg -- Jeremy L. Gaddis [EMAIL PROTECTED] Go away or I will replace you with a very small shell script. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Simon D Tennant, Consultant Linuxcare, Inc. 415.577 6719 tel, 415-701-0792 fax [EMAIL PROTECTED], http://www.linuxcare.com/ Linuxcare. Putting open source to work. pgp id: 6410974D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
On Sun, Apr 29, 2001 at 04:52:54AM -0700, Simon Tennant wrote: I wrote a howto about 6 months back. It was tricky setting up but I think I cover most of the potential disaster areas in my howto. http://www.imaginator.com/~simon/ldap/ S. i recommend you add description about Objectclass: ShadowAccount there too.. it tells nss_ldap not to pull the passwords with 'getent passwd' Sami -- - Sami Haahtinen - - 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
On Sun, Apr 29, 2001 at 12:34:02PM +1000, Jeff Waugh [EMAIL PROTECTED] wrote a message of 21 lines which said: The LDP has a perfectly good set of documents already; there's no need to duplicate the good work already done by them. I recently configured LDAP for my company and I 100% agree with the original poster. Documentation is thick but with a lot of holes, few explanations (so you can do things in a different way), and quite difficult to find. I certainly would not say to a LDAP beginner, read the fucking manual because it is clearly a domain where manuals are suboptimal (I know, I should write one but it is easier to complain). The most important problem, I believe, is that using LDAP means understanding many differents things and how they fit together. These things are often documented properly (setting a LDAP server...) but separately (setting LDAP clients is in a completely different place) and you cannot get a global picture easily. (for instance, the LDP HOWTOs about PAM and LDAP do not explain why you need, in most cases, to setup PAM *and* NSS.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Hidden DNS primary
Can anyone tell me what I need to do to make it so that I can use a hidden DNS primary? Oddly enough, it seems to work for forward DNS, but reverse DNS gives me this: Apr 29 16:21:02 segfault named-xfer[6303]: [172.16.2.2] not authoritative for 10 2.190.216.in-addr.arpa, SOA query got rcode 0, aa 0, ancount 1, aucount 0 The system that is getting this is running slink, but I managed to build a .deb for the version included in sid -- it kept getting hit by the lion worm. I'm going to have to make the server a master for now, but what can I do? Thanks, Shawn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hidden DNS primary
And yet again, we find that it's the normal ID ten T error. Turns out the zonefile had some garbage at the end from the last edit. The strange thing was, the zone worked on the hidden primary. Thanks, Shawn Can anyone tell me what I need to do to make it so that I can use a hidden DNS primary? Oddly enough, it seems to work for forward DNS, but reverse DNS gives me this: Apr 29 16:21:02 segfault named-xfer[6303]: [172.16.2.2] not authoritative for 10 2.190.216.in-addr.arpa, SOA query got rcode 0, aa 0, ancount 1, aucount 0 The system that is getting this is running slink, but I managed to build a .deb for the version included in sid -- it kept getting hit by the lion worm. I'm going to have to make the server a master for now, but what can I do? Thanks, Shawn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache and multiple virtual domains
hum... However, PHP is still run under the webserver's UID, correct? The only workaround is the run PHP in cgi version...? Jason - Original Message - From: Marcelo Gulin [EMAIL PROTECTED] To: [EMAIL PROTECTED]; debian-isp@lists.debian.org Sent: Saturday, April 28, 2001 6:13 PM Subject: RE: Apache and multiple virtual domains Hi! You can use suEXEC mechanism to do that job. suEXEC wrapper allow run CGI SSI under different UIDs cheers marcelo gulin - Original Message - From: Marcel Hicking [EMAIL PROTECTED] To: debian-isp@lists.debian.org Sent: Friday, April 27, 2001 3:44 AM Subject: Re: Apache and multiple virtual domains What I want to do is have multiple virtual hosts with each virtual host having a different UID for running CGI-BIN scripts. http://cgiwrap.unixtools.org/ CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server. Scripts are run with the permissions of the user who owns the script. In addition, several security checks are performed on the script, which will not be executed if any checks fail. Since scripts uploaded via FTP will be owned by your customers UID, they should then run under his UID. I am not sure, however, if you could get the whole apache subprocess to be run under a different UID this way, but then I am not sure if this would give additional security or other advantages. BTW. I've seen some descriptions on how to set up CGIwrap transparently so your customers whouldn't even notice CGIwrap is running. Something with setting up a handler for file extensions. Maybecheck the tips and tricks page http://cgiwrap.unixtools.org/tricks.html on this as well as for some nice mod_rewrite rules ;-) Cheers, Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] http://www.zentek-international.com http://hk.zentek-international.com http://us.zentek-international.com
Re: An LDAP authentication howto for Debian?
On Sun, Apr 29, 2001 at 12:34:02PM +1000, Jeff Waugh wrote: quote who=Jeremy L. Gaddis Out of curiousity, has anyone come across a sort of LDAP authentication howto for Debian? The LDP has a perfectly good set of documents already; there's no need to duplicate the good work already done by them. i have been thinking about collecting these into a package which would ease the installation if the first machine.. the biggest case imho is understanding LDAP, LDIF and the permissions in the database.. then it's just a matter of adding the correct objectclass and filling in the blanks.. -- - Sami Haahtinen - - 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C - pgpYFde5QXIfl.pgp Description: PGP signature
Re: An LDAP authentication howto for Debian?
quote who=Sami Haahtinen the biggest case imho is understanding LDAP, LDIF and the permissions in the database.. then it's just a matter of adding the correct objectclass and filling in the blanks.. Indeed - best place to learn about this is in the book, Understanding and Deploying LDAP Directory Services by Howes, Smith and Good. Not only does it give a thorough theoretical overview, there are a number of case studies at the back. Good stuff. :) - Jeff -- ASCII stupid question, get a stupid ANSI.
Re: An LDAP authentication howto for Debian?
Out of curiousity, has anyone come across a sort of LDAP authentication howto for Debian? I've been pondering the idea of using a central LDAP database for authentication for awhile now, but I'm sort of lost after installing the necessary PAM stuff. Thanks. I have made a LDAP authentication howto for Debian? http://www.pascalou.org/linux/doc/authentification-ldap.html But it's in French. I am ready to do a translation, but I need someone to correct my poor english ;-) bye -- Pascal Pucci : [EMAIL PROTECTED] Recommander un site à ses amis : http://www.BeeTell.com Participer à la promotion du logiciel libre : http://www.linuxpien.org http://www.pascalou.org, sur le portable : [EMAIL PROTECTED]
RE: Apache and multiple virtual domains
Hi! However, PHP is still run under the webserver's UID, correct? The only workaround is the run PHP in cgi version...? Yes. You need the CGI version I think Because you need to use the suEXEC wrapper, which is bit SUID, to execute programs under other UIDs (not nobody or httpd) hope it helps. cheers marcelo gulin Jason - Original Message - From: Marcelo Gulin [EMAIL PROTECTED] To: [EMAIL PROTECTED]; debian-isp@lists.debian.org Sent: Saturday, April 28, 2001 6:13 PM Subject: RE: Apache and multiple virtual domains Hi! You can use suEXEC mechanism to do that job. suEXEC wrapper allow run CGI SSI under different UIDs cheers marcelo gulin - Original Message - From: Marcel Hicking [EMAIL PROTECTED] To: debian-isp@lists.debian.org Sent: Friday, April 27, 2001 3:44 AM Subject: Re: Apache and multiple virtual domains What I want to do is have multiple virtual hosts with each virtual host having a different UID for running CGI-BIN scripts. http://cgiwrap.unixtools.org/ CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server. Scripts are run with the permissions of the user who owns the script. In addition, several security checks are performed on the script, which will not be executed if any checks fail. Since scripts uploaded via FTP will be owned by your customers UID, they should then run under his UID. I am not sure, however, if you could get the whole apache subprocess to be run under a different UID this way, but then I am not sure if this would give additional security or other advantages. BTW. I've seen some descriptions on how to set up CGIwrap transparently so your customers whouldn't even notice CGIwrap is running. Something with setting up a handler for file extensions. Maybecheck the tips and tricks page http://cgiwrap.unixtools.org/tricks.html on this as well as for some nice mod_rewrite rules ;-) Cheers, Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] http://www.zentek-international.com http://hk.zentek-international.com http://us.zentek-international.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
I wrote a howto about 6 months back. It was tricky setting up but I think I cover most of the potential disaster areas in my howto. http://www.imaginator.com/~simon/ldap/ S. Jeremy L. Gaddis wrote: Out of curiousity, has anyone come across a sort of LDAP authentication howto for Debian? I've been pondering the idea of using a central LDAP database for authentication for awhile now, but I'm sort of lost after installing the necessary PAM stuff. Thanks. -jg -- Jeremy L. Gaddis [EMAIL PROTECTED] Go away or I will replace you with a very small shell script. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Simon D Tennant, Consultant Linuxcare, Inc. 415.577 6719 tel, 415-701-0792 fax [EMAIL PROTECTED], http://www.linuxcare.com/ Linuxcare. Putting open source to work. pgp id: 6410974D
Re: An LDAP authentication howto for Debian?
On Sun, Apr 29, 2001 at 04:52:54AM -0700, Simon Tennant wrote: I wrote a howto about 6 months back. It was tricky setting up but I think I cover most of the potential disaster areas in my howto. http://www.imaginator.com/~simon/ldap/ S. i recommend you add description about Objectclass: ShadowAccount there too.. it tells nss_ldap not to pull the passwords with 'getent passwd' Sami -- - Sami Haahtinen - - 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C -
Re: An LDAP authentication howto for Debian?
On Sun, Apr 29, 2001 at 12:34:02PM +1000, Jeff Waugh [EMAIL PROTECTED] wrote a message of 21 lines which said: The LDP has a perfectly good set of documents already; there's no need to duplicate the good work already done by them. I recently configured LDAP for my company and I 100% agree with the original poster. Documentation is thick but with a lot of holes, few explanations (so you can do things in a different way), and quite difficult to find. I certainly would not say to a LDAP beginner, read the fucking manual because it is clearly a domain where manuals are suboptimal (I know, I should write one but it is easier to complain). The most important problem, I believe, is that using LDAP means understanding many differents things and how they fit together. These things are often documented properly (setting a LDAP server...) but separately (setting LDAP clients is in a completely different place) and you cannot get a global picture easily. (for instance, the LDP HOWTOs about PAM and LDAP do not explain why you need, in most cases, to setup PAM *and* NSS.)
Hidden DNS primary
Can anyone tell me what I need to do to make it so that I can use a hidden DNS primary? Oddly enough, it seems to work for forward DNS, but reverse DNS gives me this: Apr 29 16:21:02 segfault named-xfer[6303]: [172.16.2.2] not authoritative for 10 2.190.216.in-addr.arpa, SOA query got rcode 0, aa 0, ancount 1, aucount 0 The system that is getting this is running slink, but I managed to build a .deb for the version included in sid -- it kept getting hit by the lion worm. I'm going to have to make the server a master for now, but what can I do? Thanks, Shawn
Re: Hidden DNS primary
And yet again, we find that it's the normal ID ten T error. Turns out the zonefile had some garbage at the end from the last edit. The strange thing was, the zone worked on the hidden primary. Thanks, Shawn Can anyone tell me what I need to do to make it so that I can use a hidden DNS primary? Oddly enough, it seems to work for forward DNS, but reverse DNS gives me this: Apr 29 16:21:02 segfault named-xfer[6303]: [172.16.2.2] not authoritative for 10 2.190.216.in-addr.arpa, SOA query got rcode 0, aa 0, ancount 1, aucount 0 The system that is getting this is running slink, but I managed to build a .deb for the version included in sid -- it kept getting hit by the lion worm. I'm going to have to make the server a master for now, but what can I do? Thanks, Shawn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]