On 09/02/2018 08:47 PM, Rick Moen wrote:
Quoting wirelessd...@gmail.com (wirelessd...@gmail.com):
I’m looking to setup some sort of directory services/network authentication for
users on a small corporate network running Devuan Ascii. Is it recommended to
use Kerberos+LDAP?
Heh, a bit over ten years ago, I designed a full-blown corporate single
sign-on system using OpenLDAP with self-signed SSL certs and no
Kerberos at my then-firm, using CentOS 5 stuff. I no longer had all the
materials (because I no longer work there), but will say that getting it
right was extremely fiddly, even with all the Internet tutorials
supposedly explaining how to do it.
>8 ---- Snippage ----- 8<
I hate to snip Drew, but I get yelled at when I don't snip long-ish if
informative postings
I've not done the OpenLDAP/AD sync, but I fairly routinely do Linux authentication via PAM/AD integration (there is a cool pam module called oddjob that will do home directory
creation/mounting and other housekeeping)... I've even done Apache auth via PAM/AD integration.
The trickiest part I found is being sure ALL the boxes use the same time base. It doesn't take a lot of time difference to screw up kerberos and Windows admins like to think their
AD servers are a good enough time base too. Most of the time it is... and then it will bite you really, really hard.
I also have seen some custom apps that didn't retrieve all of the group membership information from PAM/AD even when the id command did (but we're using the same system call).
That one took weeks to find and even longer to get fixed.
I've recently become aware of and am looking at trying FreeIPA because it has a lot of pre-done stuff I want... *IX auth/authorization/accounting, Samba4/Windows user schema,
address book application schema that Thunderbird can use (I hate making copies of MAB files... Error prone and lossy). Under the hood, it's using a lot of stock standard OSS
stuff... Like so much today, it look's like a collection of giant lego blocks.
I'll let y'all know
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
