Thanks for the quick response everyone.. I've been reading up on the pam.conf (pam_groupdn) entries, it sounds pretty much perfect. No complicated access-rules in openldap to write, only catch is that it can only handle one group in the "pam_groupdn cn=GroupName,ou=OUName,dc=example,dc=net" line?
cya Craig On Mon, Dec 19, 2011 at 01:03:13AM -0700, Chris Jacobs wrote: > I can vouch for cent5/6... And 6 seems to prefer SSSD - no > /etc/[pam_]ldap.conf but an sssd.conf instead - which I understand is the > preferred method now in Fedora too (using SSSD which can also replace NSCD). > > I noticed that someone felt the need to rewrite PADL's PAM plugin for Cent6, > but it introduces a new service; might as well go for the newer and shinier > method. > > My .02 - sorry for top posting; PDA. > > > ----- Original Message ----- > From: [email protected] > <[email protected]> > To: [email protected] <[email protected]> > Sent: Mon Dec 19 00:52:20 2011 > Subject: Re: OpenLDAP for Central Auth? > > Hi > > On 12/19/2011 08:18 AM, Craig T wrote: > > Hi, > > > > Has anyone successfully deployed OpenLDAP for central auth in a very mixed > > unix environment? With Host based access control? Plus any documentation > > would be really great. > Yes, that's no problem. And for documentation, take a look at your > distro specific man pages or wikis. > > > > > > > My needs; > > - Central Auth > No problem with nss ldap and pam ldap libraries... > > - Host based access control (e.g. user "John" from group "accounts" can't > > log into "development servers". > Sure with pam_groupdn or a specific search filter, maybe with the > memberOf attribute. > > > - Caching for Client logins on laptops. I figure SSSD will be useful here? > I guess you mean user&password caching? Then the nscd Daemon is your > friend. Or do you mean credential caching for one session with Single > Sign On, then a kerberos setup is you best option. > > > - Encryption (This looks pretty straight forward in the OpenLDAP 2.4 doco) > Also no problem.... Just compile the newest OpenLDAP with OpenSSL support. > > > > > Client OS's involved; > > - Solaris 9/10 > > - Fedora 15/16 > > - Centos 5/6 > No problem, I don't know the Solaris setup, but I guess it's pretty much > the same. > > > > > > > cya > > > > Craig > > > > > -- > Raffael Sahli > [email protected] > Switzerland > > > > This message is private and confidential. If you have received it in error, > please notify the sender and remove it from your system. > > >
