From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: tuhs-bounces@minnie.tuhs.org
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	SUBJ_ALL_CAPS autolearn=no autolearn_force=no version=3.4.2
Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53])
	by inbox.vuxu.org (OpenSMTPD) with ESMTP id 104de7d0
	for <ml@inbox.vuxu.org>;
	Mon, 5 Nov 2018 08:52:21 +0000 (UTC)
Received: by minnie.tuhs.org (Postfix, from userid 112)
	id 51D4FA2408; Mon,  5 Nov 2018 18:52:20 +1000 (AEST)
Received: from minnie.tuhs.org (localhost [127.0.0.1])
	by minnie.tuhs.org (Postfix) with ESMTP id 3C1C2A2314;
	Mon,  5 Nov 2018 18:52:04 +1000 (AEST)
Received: by minnie.tuhs.org (Postfix, from userid 112)
 id F3103A21EC; Mon,  5 Nov 2018 17:33:53 +1000 (AEST)
Received: from mail-oi1-f178.google.com (mail-oi1-f178.google.com
 [209.85.167.178])
 by minnie.tuhs.org (Postfix) with ESMTPS id 9D026A1FBC
 for <tuhs@minnie.tuhs.org>; Mon,  5 Nov 2018 17:33:48 +1000 (AEST)
Received: by mail-oi1-f178.google.com with SMTP id p144-v6so6584329oic.12
 for <tuhs@minnie.tuhs.org>; Sun, 04 Nov 2018 23:33:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc:content-transfer-encoding;
 bh=5vD70XzKfb09L/UkYINqX5Ewh/1VcJrrhilir8+1Ebg=;
 b=tzeR710K7Kd90TF029L1o9isbxcMEMCkzeZwm/wOqj1pdVJRRLDTyK9AEbmDmj5G9U
 X3DqkvFjpHI5KFheqmt8NFzHjaMPsk9ue/CgQUsJ1pD4AtK9q2xiyYZDrOyUB3b2oPY8
 2pdYWR47wpdgHL6LjVEz68US3C5qreAkldKF4YZlboXdjOy5O/FcN+3zpSlhjlUNiU5H
 QOSt+Hou0cqOBkf1PXR70YOmitdBsc0jJQgZme1S9tTFv/PqsRpKOrYCr9ik7YxnCKgc
 PmP8LNaocRo5Xa5Rn6ut5jZ9R2uh1o/VLNlArUHdDvnXheUJ1FgLdCY/qve3uWa9F6n1
 1mHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=5vD70XzKfb09L/UkYINqX5Ewh/1VcJrrhilir8+1Ebg=;
 b=e5mMiLLyzE9jfRcEjf41tnoNaEIsMNHSNbYp9LTB0qB/VnQ69GUCpOD8jv7zYczcQG
 MA3JeR9w0p2TlDmRlTTsCrRdYRCMUE122hwdpnbH/ByJNVvb8U1yqFlg9E/H9FbDsBd+
 JQ2LVGl1iw2ozeZccHR8i92CJ84K7KyUmISRuPnlCQCZ+ScibLadN+edIfeBJdqai4Nm
 cqDtLfjNpLrw4G59ud1LL/ToRaYpcW2US+zUmVLEk+EVa3dewIMvwxZZUCLrXWONhcwn
 OBYdZrhT6DOs/5X5l+I/GocQr9lmE7y7fKBoQLZ0cZtjRJX2fgyQW2a1b77WlR4mg/Ur
 FdIA==
X-Gm-Message-State: AGRZ1gJ2lgP5zhQIBLR2lYY/9zQgYeLO8J6yiSF1lzHr1LEEAXaqFmCU
 G9mJ8r6LJ6p6G8gmmvRmaF1oLyDEwLkZeQ1ttV3KUVjL
X-Google-Smtp-Source: AJdET5fMMYUlNp5No/8VogRxrzGvRppFNeAaiiJBty7RGkxxJlccOZ7ba1MJXa4LsWsH+DQGtErcjq9jv8xekXVzpfk=
X-Received: by 2002:aca:50ce:: with SMTP id
 e197-v6mr12850363oib.174.1541403225593; 
 Sun, 04 Nov 2018 23:33:45 -0800 (PST)
MIME-Version: 1.0
References: <f99e4c98-d584-d823-a581-0d6c3b9c3420@spamtrap.tnetconsulting.net>
 <alpine.DEB.2.20.1811051132410.13752@mira.opentrend.net>
 <c710dafc-9edc-cd29-3aeb-dc0fa6badeff@spamtrap.tnetconsulting.net>
 <CAPWNY8WqB0fO=a_sNq5NezO7xh3-c4iO3gyoFUZXk5e7=v179w@mail.gmail.com>
In-Reply-To: <CAPWNY8WqB0fO=a_sNq5NezO7xh3-c4iO3gyoFUZXk5e7=v179w@mail.gmail.com>
From: =?UTF-8?Q?Mantas_Mikul=C4=97nas?= <grawity@gmail.com>
Date: Mon, 5 Nov 2018 09:33:34 +0200
Message-ID: <CAPWNY8WfVU=_Qfm6F1CXU-J2NC20Yw+n4TBeeK1gi0nvdYv-6w@mail.gmail.com>
To: gtaylor@tnetconsulting.net
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [TUHS] YP / NIS / NIS+ / LDAP
X-BeenThere: tuhs@minnie.tuhs.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: The Unix Heritage Society mailing list <tuhs.minnie.tuhs.org>
List-Unsubscribe: <https://minnie.tuhs.org/cgi-bin/mailman/options/tuhs>,
 <mailto:tuhs-request@minnie.tuhs.org?subject=unsubscribe>
List-Archive: <http://minnie.tuhs.org/pipermail/tuhs/>
List-Post: <mailto:tuhs@minnie.tuhs.org>
List-Help: <mailto:tuhs-request@minnie.tuhs.org?subject=help>
List-Subscribe: <https://minnie.tuhs.org/cgi-bin/mailman/listinfo/tuhs>,
 <mailto:tuhs-request@minnie.tuhs.org?subject=subscribe>
Cc: tuhs@minnie.tuhs.org
Errors-To: tuhs-bounces@minnie.tuhs.org
Sender: "TUHS" <tuhs-bounces@minnie.tuhs.org>

On Mon, Nov 5, 2018 at 9:24 AM Mantas Mikul=C4=97nas <grawity@gmail.com> wr=
ote:
> > > In my experience LDAP is preferred in a pure *nix environment these
> > > days. I've never played much with Kerberos.
> >
> > Does that mean that the authentication is also done across LDAP?  I hop=
e
> > that it's encrypted LDAP.

I replied to the second sentence, but missed the first one. Yes, many
places use LDAP for authentication.

Although strictly speaking LDAP is not an *authentication* protocol,
but it *is* a read/write protocol: the way you make updates to the
directory isn't by rebuilding it from a textfile, but by
authenticating and sending updates via LDAP itself. Naturally this
supports TLS for encrypting the channel.

Normally it isn't just the sysadmin who can do so, but every user can
also authenticate as themselves (i.e. "bind" to their own entry in
LDAP terms). Maybe they can't edit anything at all, maybe they can
edit only their own finger information, but they're usually able to
authenticate nevertheless.

And so many installations just turn this backwards and declare "If you
can successfully bind to the LDAP database, you must be a valid user".

--=20
Mantas Mikul=C4=97nas