On Sun, Apr 25, 2010 at 11:15:24PM -0400, Ian Stokes-Rees wrote: > OpenLDAP + 389 DS + WebMin + UserMin seem like they could do this, and
Yes, this is actually what we have now, and it works very well for what we need. What we don't use it for is workstation auth; if that were my problem I would say AD and just wait for my boss to hand me a credit card. But for network services, apache, etc, it's fantastic. > that is the path I've started down. Most CMS systems (and Django, the > main one we're using) will play nicely with LDAP, as will Apache httpd. > ssh login will also be manageable via this system (of course). I'd like > to be able to script ~/.ssh/authorized_keys file updates via web-based > user-driven public-key additions (many accounts are shared for various > good reasons), and similarly for X.509-based public key systems. http://code.google.com/p/openssh-lpk/ it works very well on fbsd. I think for debian/ubuntu you have to build your own sshd. No idea about Red Hat. pam_ldap lets you choose who can log into which servers with the group_dn directive, and sudo has ldap integration too, so this way you can entirely control who can log into what server with ldap. Alernatively, you could use Kerberos, as ssh supports gssapi. I haven't actually tried this though. _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
