[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP for Central Auth?



Craig T wrote:
Thanks for the quick response everyone..

I've been reading up on the pam.conf (pam_groupdn) entries, it sounds pretty much perfect. No complicated access-rules in openldap to write, only catch is that it can only handle one group in the "pam_groupdn cn=GroupName,ou=OUName,dc=example,dc=net" line?

Single group, yes. And the fact that you have to configure the pam.conf files individually for each and every machine in your network. Insanely unscalable and unmanageable.

cya

Craig

On Mon, Dec 19, 2011 at 01:03:13AM -0700, Chris Jacobs wrote:
I can vouch for cent5/6... And 6 seems to prefer SSSD - no /etc/[pam_]ldap.conf but an sssd.conf instead - which I understand is the preferred method now in Fedora too (using SSSD which can also replace NSCD).

I noticed that someone felt the need to rewrite PADL's PAM plugin for Cent6, but it introduces a new service; might as well go for the newer and shinier method.

My .02 - sorry for top posting; PDA.


----- Original Message -----
From: openldap-technical-bounces@OpenLDAP.org<openldap-technical-bounces@OpenLDAP.org>
To: openldap-technical@openldap.org<openldap-technical@openldap.org>
Sent: Mon Dec 19 00:52:20 2011
Subject: Re: OpenLDAP for Central Auth?

Hi

On 12/19/2011 08:18 AM, Craig T wrote:
Hi,

Has anyone successfully deployed OpenLDAP for central auth in a very mixed unix environment? With Host based access control? Plus any documentation would be really great.
Yes, that's no problem. And for documentation, take a look at your
distro specific man pages or wikis.



My needs;
- Central Auth
No problem with nss ldap and pam ldap libraries...
- Host based access control (e.g. user "John" from group "accounts" can't log into "development servers".
Sure with pam_groupdn or a specific search filter, maybe with the
memberOf attribute.

- Caching for Client logins on laptops. I figure SSSD will be useful here?
I guess you mean user&password caching? Then the nscd Daemon is your
friend. Or do you mean credential caching for one session with Single
Sign On, then a kerberos setup is you best option.

- Encryption (This looks pretty straight forward in the OpenLDAP 2.4 doco)
Also no problem.... Just compile the newest OpenLDAP with OpenSSL support.


Client OS's involved;
- Solaris 9/10
- Fedora 15/16
- Centos 5/6
No problem, I don't know the Solaris setup, but I guess it's pretty much
the same.



cya

Craig



--
Raffael Sahli
public@raffaelsahli.com
Switzerland



This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.







--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/