Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): > I’m looking to setup some sort of directory services/network authentication > for users on a small corporate network running Devuan Ascii. Is it > recommended to use Kerberos+LDAP?
Heh, a bit over ten years ago, I designed a full-blown corporate single sign-on system using OpenLDAP with self-signed SSL certs and no Kerberos at my then-firm, using CentOS 5 stuff. I no longer had all the materials (because I no longer work there), but will say that getting it right was extremely fiddly, even with all the Internet tutorials supposedly explaining how to do it. Because the firm had Active Directory for the Windows side of things including Exchange Server, I first wrote up a white paper to make sure the CTO knew he had to make an important strategic choice: Because AD relied on proprietary extensions to Kerberos, the firm could _either_ slave OpenLDAP servers off AD and maintain the whole directory off the Windows side, or could create a separate schema and database entirely within OpenLDAP for the firm's hundreds of Linux and Solaris machines _only_ that was distinct from (did not coordinate data with) the AD directory. I believe there were also a couple of further alternative involving proprietary software for Linux that attempted to bridge in some fashion the sharing chasm. The CTO approved the second options, having the firm's Linux & Solaris machines participate in a single sign-on system unconnected to AD. Being wary of trouble, I made sure my change control documentation made this matter clear, that this rollout would _not_ be interconnected to AD. Mid-morning, I sent out the announcement e-mail and started checking in my code. Immediately, I got an urgent directive to the Chief Operating Officer to _stop_. Which, of course, I did. The COO had what apparently was a fiery discussion with the CTO, thankfully above my paygrade, and I was directed to throw away my work and design/test/rollout a redesign to slave OpenLDAP servers off AD, and then authenticate signon for Linux/Solaris machines to the OpenLDAP servers. Just as with the earlier project, getting this right was a little painful. Unless things have changed a lot in ten years, expect to spend some time at it. > I have also taken a look at FusionDirectory and it looks relatively > simple to use. Looks like a nice little Web-based directory browser. Unless I'm missing something important, that does nothing to solve the larger problem of setting up the underlying LDAP software, schema, and contents. Anyway, it's been a _long_ time since I dealt with all of that badness, so I'm probably forgetting a lot. This looks like a decent starting point: https://wiki.debian.org/LDAP/Kerberos (except it has little to say about AD integration). _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
