Hi,
Has anyone successfully deployed OpenLDAP for central auth in a very mixed unix environment? With Host based access control? Plus any documentation would be really great.
My needs; - Central Auth - Host based access control (e.g. user "John" from group "accounts" can't log into "development servers". - Caching for Client logins on laptops. I figure SSSD will be useful here? - Encryption (This looks pretty straight forward in the OpenLDAP 2.4 doco)
Client OS's involved; - Solaris 9/10 - Fedora 15/16 - Centos 5/6
cya
Craig
Am Mon, 19 Dec 2011 18:18:12 +1100 schrieb Craig T openldap@noboost.org:
Hi,
Has anyone successfully deployed OpenLDAP for central auth in a very mixed unix environment? With Host based access control? Plus any documentation would be really great.
My needs;
- Central Auth
- Host based access control (e.g. user "John" from group "accounts"
can't log into "development servers".
- Caching for Client logins on laptops. I figure SSSD will be useful
here?
- Encryption (This looks pretty straight forward in the OpenLDAP 2.4
doco)
man slapo-nssov(5), in particluar on nssov-ssd and nssov-pam.
-Dieter
Hi
On 12/19/2011 08:18 AM, Craig T wrote:
Hi,
Has anyone successfully deployed OpenLDAP for central auth in a very mixed unix environment? With Host based access control? Plus any documentation would be really great.
Yes, that's no problem. And for documentation, take a look at your distro specific man pages or wikis.
My needs;
- Central Auth
No problem with nss ldap and pam ldap libraries...
- Host based access control (e.g. user "John" from group "accounts" can't log into "development servers".
Sure with pam_groupdn or a specific search filter, maybe with the memberOf attribute.
- Caching for Client logins on laptops. I figure SSSD will be useful here?
I guess you mean user&password caching? Then the nscd Daemon is your friend. Or do you mean credential caching for one session with Single Sign On, then a kerberos setup is you best option.
- Encryption (This looks pretty straight forward in the OpenLDAP 2.4 doco)
Also no problem.... Just compile the newest OpenLDAP with OpenSSL support.
Client OS's involved;
- Solaris 9/10
- Fedora 15/16
- Centos 5/6
No problem, I don't know the Solaris setup, but I guess it's pretty much the same.
cya
Craig
I can vouch for cent5/6... And 6 seems to prefer SSSD - no /etc/[pam_]ldap.conf but an sssd.conf instead - which I understand is the preferred method now in Fedora too (using SSSD which can also replace NSCD).
I noticed that someone felt the need to rewrite PADL's PAM plugin for Cent6, but it introduces a new service; might as well go for the newer and shinier method.
My .02 - sorry for top posting; PDA.
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Mon Dec 19 00:52:20 2011 Subject: Re: OpenLDAP for Central Auth?
Hi
On 12/19/2011 08:18 AM, Craig T wrote:
Hi,
Has anyone successfully deployed OpenLDAP for central auth in a very mixed unix environment? With Host based access control? Plus any documentation would be really great.
Yes, that's no problem. And for documentation, take a look at your distro specific man pages or wikis.
My needs;
- Central Auth
No problem with nss ldap and pam ldap libraries...
- Host based access control (e.g. user "John" from group "accounts" can't log into "development servers".
Sure with pam_groupdn or a specific search filter, maybe with the memberOf attribute.
- Caching for Client logins on laptops. I figure SSSD will be useful here?
I guess you mean user&password caching? Then the nscd Daemon is your friend. Or do you mean credential caching for one session with Single Sign On, then a kerberos setup is you best option.
- Encryption (This looks pretty straight forward in the OpenLDAP 2.4 doco)
Also no problem.... Just compile the newest OpenLDAP with OpenSSL support.
Client OS's involved;
- Solaris 9/10
- Fedora 15/16
- Centos 5/6
No problem, I don't know the Solaris setup, but I guess it's pretty much the same.
cya
Craig
-- Raffael Sahli public@raffaelsahli.com Switzerland
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Thanks for the quick response everyone..
I've been reading up on the pam.conf (pam_groupdn) entries, it sounds pretty much perfect. No complicated access-rules in openldap to write, only catch is that it can only handle one group in the "pam_groupdn cn=GroupName,ou=OUName,dc=example,dc=net" line?
cya
Craig
On Mon, Dec 19, 2011 at 01:03:13AM -0700, Chris Jacobs wrote:
I can vouch for cent5/6... And 6 seems to prefer SSSD - no /etc/[pam_]ldap.conf but an sssd.conf instead - which I understand is the preferred method now in Fedora too (using SSSD which can also replace NSCD).
I noticed that someone felt the need to rewrite PADL's PAM plugin for Cent6, but it introduces a new service; might as well go for the newer and shinier method.
My .02 - sorry for top posting; PDA.
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Mon Dec 19 00:52:20 2011 Subject: Re: OpenLDAP for Central Auth?
Hi
On 12/19/2011 08:18 AM, Craig T wrote:
Hi,
Has anyone successfully deployed OpenLDAP for central auth in a very mixed unix environment? With Host based access control? Plus any documentation would be really great.
Yes, that's no problem. And for documentation, take a look at your distro specific man pages or wikis.
My needs;
- Central Auth
No problem with nss ldap and pam ldap libraries...
- Host based access control (e.g. user "John" from group "accounts" can't log into "development servers".
Sure with pam_groupdn or a specific search filter, maybe with the memberOf attribute.
- Caching for Client logins on laptops. I figure SSSD will be useful here?
I guess you mean user&password caching? Then the nscd Daemon is your friend. Or do you mean credential caching for one session with Single Sign On, then a kerberos setup is you best option.
- Encryption (This looks pretty straight forward in the OpenLDAP 2.4 doco)
Also no problem.... Just compile the newest OpenLDAP with OpenSSL support.
Client OS's involved;
- Solaris 9/10
- Fedora 15/16
- Centos 5/6
No problem, I don't know the Solaris setup, but I guess it's pretty much the same.
cya
Craig
-- Raffael Sahli public@raffaelsahli.com Switzerland
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Craig T wrote:
Thanks for the quick response everyone..
I've been reading up on the pam.conf (pam_groupdn) entries, it sounds pretty much perfect. No complicated access-rules in openldap to write, only catch is that it can only handle one group in the "pam_groupdn cn=GroupName,ou=OUName,dc=example,dc=net" line?
Single group, yes. And the fact that you have to configure the pam.conf files individually for each and every machine in your network. Insanely unscalable and unmanageable.
cya
Craig
On Mon, Dec 19, 2011 at 01:03:13AM -0700, Chris Jacobs wrote:
I can vouch for cent5/6... And 6 seems to prefer SSSD - no /etc/[pam_]ldap.conf but an sssd.conf instead - which I understand is the preferred method now in Fedora too (using SSSD which can also replace NSCD).
I noticed that someone felt the need to rewrite PADL's PAM plugin for Cent6, but it introduces a new service; might as well go for the newer and shinier method.
My .02 - sorry for top posting; PDA.
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.orgopenldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.orgopenldap-technical@openldap.org Sent: Mon Dec 19 00:52:20 2011 Subject: Re: OpenLDAP for Central Auth?
Hi
On 12/19/2011 08:18 AM, Craig T wrote:
Hi,
Has anyone successfully deployed OpenLDAP for central auth in a very mixed unix environment? With Host based access control? Plus any documentation would be really great.
Yes, that's no problem. And for documentation, take a look at your distro specific man pages or wikis.
My needs;
- Central Auth
No problem with nss ldap and pam ldap libraries...
- Host based access control (e.g. user "John" from group "accounts" can't log into "development servers".
Sure with pam_groupdn or a specific search filter, maybe with the memberOf attribute.
- Caching for Client logins on laptops. I figure SSSD will be useful here?
I guess you mean user&password caching? Then the nscd Daemon is your friend. Or do you mean credential caching for one session with Single Sign On, then a kerberos setup is you best option.
- Encryption (This looks pretty straight forward in the OpenLDAP 2.4 doco)
Also no problem.... Just compile the newest OpenLDAP with OpenSSL support.
Client OS's involved;
- Solaris 9/10
- Fedora 15/16
- Centos 5/6
No problem, I don't know the Solaris setup, but I guess it's pretty much the same.
cya
Craig
-- Raffael Sahli public@raffaelsahli.com Switzerland
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Raffael Sahli wrote:
- Caching for Client logins on laptops. I figure SSSD will be useful here?
I guess you mean user&password caching? Then the nscd Daemon is your friend. Or do you mean credential caching for one session with Single Sign On, then a kerberos setup is you best option.
nscd is nobody's friend. It's a poor design and even more poorly implemented.
slapo-pcache has full support for laptops/disconnected operation, and actually works. Unlike those others.
Craig T wrote:
Hi,
Has anyone successfully deployed OpenLDAP for central auth in a very mixed unix environment? With Host based access control? Plus any documentation would be really great.
My needs;
- Central Auth
- Host based access control (e.g. user "John" from group "accounts" can't log into "development servers".
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=tree;f=contrib/sla...
- Caching for Client logins on laptops. I figure SSSD will be useful here?
slapo-pcache(5)
- Encryption (This looks pretty straight forward in the OpenLDAP 2.4 doco)
Client OS's involved;
- Solaris 9/10
- Fedora 15/16
- Centos 5/6
openldap-technical@openldap.org
-
Chris Jacobs -
Craig T -
Dieter Klünter -
Howard Chu -
Raffael Sahli