Send netdisco-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/netdisco-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of netdisco-users digest..."
Today's Topics:
1. Re: Adding users to Netdisco via script for database
(Brian Marshall)
--- Begin Message ---
Hello Mike,
As promised, here is a link to the SSO solution I've implemented at my
organization:
https://pastebin..com/VAHT4fe0
I imagine this will raise as many questions as it answers, but the
script is in production where I work, with some anonymizing applied
(which may have broken things subtly of course). Properly implemented,
it will allow any logged in user with a valid kerberos token to log in
without a password prompt. This is automatic in IE and Chrome, but will
require allowing auth passthru from about:config if you want to use Firefox.
The basic idea is:
1) Apache handles the kerberos auth utilizing its keytab, krb5.conf
and auth_kerb (a2en auth_kerb)
2) Netdisco trusts the x-remote-user that it is presented with
(after some tricky business to pass the variable in to the netdisco
PROXYPASS)
3) The netdisco user database is pre-populated with LDAP users from
certain OUs
4) The user entries are blown away and recreated on a schedule,
eliminating users autoadded based on a preset note
The unwritten part here is how to setup kerberos and create the kerberos
keytab at /var/www/netdisco.keytab. This has to be done on your DC and
also involves a correct krb5.conf config. You'll also need an ldap user
and a password file (/etc/ldap/monitoringsso.pass. verify no trailing
newline!) to drive the ldapsearch utility.
Hopefully the ldap users script is self explanatory. It uses LDAP style
OUs to point at for lists of admin/user/user accounts and has some
sanity checking values to make sure the script didn't pull in too
few/too many users.
There are almost certainly some pitfalls I'm forgetting. I may have even
had to tweak my netdisco source to make all this work, but I don't
remember doing so.
Let me know if you have any trouble making it work and I'll try to help.
-Brian Marshall
On 1/23/19 12:28 PM, Michael Dano wrote:
We are attempting to come up with a way to automatically add and remove
users on our Netdisco system. We currently have a script that will allow
us to pull a list of users from our AD system and add them as users on
our Ubuntu servers. We would like to modify this script to automatically
add users into the netdisco database to give them access based one the
AD groups they belong too. Our issue is we are not quite sure what
tables we would need to add users in. We also want to know if the same
table is the one that would give them user or admin access, since some
IT users would need different levels access.
Any assistance or direction on this would be greatly appreciated.
Mike Dano
Infrastructure Administrator,
Infrastructure Security & Support
Baker College System
O: 810-766-4120| M: 810-650-0947
_______________________________________________
Netdisco mailing list
[email protected]
https://sourceforge.net/p/netdisco/mailman/netdisco-users/
--- End Message ---
_______________________________________________
Netdisco mailing list - Digest Mode
[email protected]
https://lists.sourceforge.net/lists/listinfo/netdisco-users
