[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP for Central Auth?

To: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
Subject: Re: OpenLDAP for Central Auth?
From: Craig T <openldap@noboost.org>
Date: Mon, 19 Dec 2011 20:52:17 +1100
Cc: "'openldap-technical@openldap.org'" <openldap-technical@openldap.org>
Content-disposition: inline
In-reply-to: <6C447584419BFE4E83D46E88F81314868A9022FA71@EXCH07-05.apollogrp.edu>
References: <4EEEED34.8050307@raffaelsahli.com> <6C447584419BFE4E83D46E88F81314868A9022FA71@EXCH07-05.apollogrp.edu>
User-agent: Mutt/1.5.20 (2009-06-14)

Thanks for the quick response everyone.. 

I've been reading up on the pam.conf (pam_groupdn) entries, it sounds pretty much perfect. No complicated access-rules in openldap to write, only catch is that it can only handle one group in the "pam_groupdn cn=GroupName,ou=OUName,dc=example,dc=net" line?

cya

Craig

On Mon, Dec 19, 2011 at 01:03:13AM -0700, Chris Jacobs wrote:
> I can vouch for cent5/6... And 6 seems to prefer SSSD - no /etc/[pam_]ldap.conf but an sssd.conf instead - which I understand is the preferred method now in Fedora too (using SSSD which can also replace NSCD).
> 
> I noticed that someone felt the need to rewrite PADL's PAM plugin for Cent6, but it introduces a new service; might as well go for the newer and shinier method.
> 
> My .02 - sorry for top posting; PDA.
> 
> 
> ----- Original Message -----
> From: openldap-technical-bounces@OpenLDAP.org <openldap-technical-bounces@OpenLDAP.org>
> To: openldap-technical@openldap.org <openldap-technical@openldap.org>
> Sent: Mon Dec 19 00:52:20 2011
> Subject: Re: OpenLDAP for Central Auth?
> 
> Hi
> 
> On 12/19/2011 08:18 AM, Craig T wrote:
> > Hi,
> >
> > Has anyone successfully deployed OpenLDAP for central auth in a very mixed unix environment? With Host based access control? Plus any documentation would be really great.
> Yes, that's no problem. And for documentation, take a look at your
> distro specific man pages or wikis.
> 
> >
> >
> > My needs;
> > - Central Auth
> No problem with nss ldap and pam ldap libraries...
> > - Host based access control (e.g. user "John" from group "accounts" can't log into "development servers".
> Sure with pam_groupdn or a specific search filter, maybe with the
> memberOf attribute.
> 
> > - Caching for Client logins on laptops. I figure SSSD will be useful here?
> I guess you mean user&password caching? Then the nscd Daemon is your
> friend. Or do you mean credential caching for one session with Single
> Sign On, then a kerberos setup is you best option.
> 
> > - Encryption (This looks pretty straight forward in the OpenLDAP 2.4 doco)
> Also no problem.... Just compile the newest OpenLDAP with OpenSSL support.
> 
> >
> > Client OS's involved;
> > - Solaris 9/10
> > - Fedora 15/16
> > - Centos 5/6
> No problem, I don't know the Solaris setup, but I guess it's pretty much
> the same.
> 
> >
> >
> > cya
> >
> > Craig
> >
> 
> 
> --
> Raffael Sahli
> public@raffaelsahli.com
> Switzerland
> 
> 
> 
> This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
> 
> 
>

Follow-Ups:
- Re: OpenLDAP for Central Auth?
  - From: Howard Chu <hyc@symas.com>

References:
- Re: OpenLDAP for Central Auth?
  - From: Raffael Sahli <public@raffaelsahli.com>
- Re: OpenLDAP for Central Auth?
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>

Prev by Date: Re: OpenLDAP for Central Auth?
Next by Date: Re: OpenLDAP for Central Auth?
Index(es):
- Chronological
- Thread