[mpm-itk] mpm-itk with ldap

Uday MOORJANI uday.moorjani at mediaserv-corp.net
Wed Jun 4 00:58:32 CEST 2008


Dear All,

Sorry for my lack of details. My users are authentiticated via LDAP, hence
all of their credentials are stored in an ldap directory. As Mr Maikel said,
since mpm-itk uses the generic pam, if configuring pam for ldap, when itk
calls a setuid for a user, it should be able to use pam to look up the ldap
directory for the user. Hope I'm clear. I just wanted to know if mpm-itk had
any related issues with pam_ldap and if it was possible for mpm-itk to work
with pam_ldap.

To be even more transparent, I'm designing a shared hosting server based on
apache2-mpm-itk in a chroot and per virtualhost confinement with grsecurity.
My problem was:

Problem 1: Apache Process being executed on per-user bases: SOLVED, mpm-itk
did it.
Problem 1.1: Since apache is running as root, I need to confine it just in
case crap happens so I compiled custom kernel with grsecurity and hid/ACLed
everything outside the chroot to apache2 process and hid/ACLed the rest of
the chroot on a per virtual host bases by gobbling the DocumentRoot in the
grsecurity profile.

Problem 2: Centrally manage the users without using the tradionnal
/etc/passwd; we already have a central ldap server based on Fedora Directory
Server, I considered it to a good idea to centrally manage the user there.
Predefined schemas are present for UNIX users so no hassle schema designing.

Problem 3: Provisionning; through ldap and a webservice on the server.

Problem 4: Maintenance; all done with makejail, I know it's a sloppy
solution but I rather use it instead of hardlinks.

Hope it's clearer. :)

Again thankx guys and good work on mpm-itk.

Uday MOORJANI

On Tue, Jun 3, 2008 at 4:47 PM, Steinar H. Gunderson <sgunderson at bigfoot.com>
wrote:

> On Tue, Jun 03, 2008 at 11:46:53AM -0400, Uday MOORJANI wrote:
> > Does mpm-itk work with ldap ? if yes how do you suggest configuring it ?
> I'm
> > on ubuntu 8.04 LTS.
>
> It's not immediately clear what you're trying to do. There's nothing in
> mpm-itk that I know of that would conflict with LDAP authentication, at
> least
> assuming you don't need root access to client-side certificates etc.. Could
> you go into a bit more detail?
>
> /* Steinar */
> --
> Homepage: http://www.sesse.net/
>
> _______________________________________________
> mpm-itk mailing list
> mpm-itk at lists.err.no
> http://lists.err.no/mailman/listinfo/mpm-itk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.err.no/pipermail/mpm-itk/attachments/20080603/92dc7562/attachment.htm 


More information about the mpm-itk mailing list