"store rsyncd secrets in ldap" was:Re: rsync & ldap authentication

Stefan Nehlsen sn at ParlaNet.de
Wed Feb 12 23:46:52 EST 2003

On Wed, Feb 12, 2003 at 10:11:10AM +1100, Donovan Baarda wrote:
> On Wed, 2003-02-12 at 04:25, Darren Jung wrote:
> > Hi,
> > 
> > I'm trying to get rsync 2.5.6 to authenticate users via
> > openldap-2.0.23.  I was looking through the mailing list archives and
> > found a patch for rsync-2.4.6 that does this for me.  I was just
> > wondering if this is still valid, or if there has been a new patch or
> > new implementation that has superceded this patch.  Any help would be
> > great.  The message I am referring to is as follows:
> [...]
> I'm not sure exactly what you are trying to achieve, but I'm not sure
> you need to patch rsync at all.

If you want to be compatible to the rsyncd md4 callenge response
authentification you will have to. rsyncd doesn't provide any
"standard" authentification (pam, sasl, ...) and if it ever will
this can't be compatible to older rsync versions.

For this reason the patch makes sense.

> Provided rsync uses libc to lookup users, all you need is to configure
> nsswitch to use ldap properly. This is enough to make any unix
> application work with ldap, provided it uses the proper libc routines
> and doesn't access /etc/passwd and /etc/shadow directly.

rsyncd is using it's own user base

> This does mean that all the users in ldap look like real unix users on
> that host. If you don't want this, and want to keep the unix users in
> /etc/passwd and only use ldap for rsync users, then you probably want
> rsync to use PAM for authentication, and use the pam_ldap module.
> I'm not sure if rsync can use PAM for authentication, 

it can't

> but if you really
> want rsync to directly use ldap auth (ie, not via nsswitch), PAM is the
> "proper" way to do it. Please don't hack rsync to lookup ldap directly.

It may be hacked to provide standard authentifications (pam or sasl) but
this will lead us to not backward compatible versions.

Please call the patch "store rsyncd secrets in ldap" instead of 
"ldap authentification".

The patch doesn't made it into standard because it was too special.

cu, Stefan
Stefan Nehlsen | ParlaNet Administration | sn at parlanet.de | +49 431 988-1260

More information about the rsync mailing list