Re: authentication infra structure
> On 10 Dec 2015, at 5:25 AM, Friedrich Locke wrote: > > If you had about 10k users and 5k machine how would you manage > authenticating issues? Keep in mind that this is a very heterogenous > environment with ldap, ftp, smtp, pop3, traditional unix boxes etc we use ypldapd talking to our directory to make users appear on the box. nfs for homedirs. at the moment we're using krb for auth, but im looking to change that soon. dlg
Re: authentication infra structure
On 09. Dec 17:25:14, Friedrich Locke wrote: > If you had about 10k users and 5k machine how would you manage > authenticating issues? Keep in mind that this is a very heterogenous > environment with ldap, ftp, smtp, pop3, traditional unix boxes etc > LDAP is Your friend. You can even combine OpenLDAP with saslauthd for pass trough authentication to different other backends. --
Re: authentication infra structure
On Wed, Dec 09, 2015 at 01:21:19PM -0700, Devin Reade wrote: > --On Wednesday, December 09, 2015 05:25:14 PM -0200 Friedrich Locke > wrote: > > > If you had about 10k users and 5k machine how would you manage > > authenticating issues? Keep in mind that this is a very heterogenous > > environment with ldap, ftp, smtp, pop3, traditional unix boxes etc > > You've already got the key to that solution (LDAP). Do you mean > things like provisioning and credential management? I've not used it, > but you might want to look at FreeIPA. Although it uses KDC at the > core, IIRC you can have LDAP-only clients authenticate to it. IIUC FreeIPA does require sssd and pam, thus out of luck on OpenBSD. j.
Re: authentication infra structure
--On Wednesday, December 09, 2015 05:25:14 PM -0200 Friedrich Locke wrote: > If you had about 10k users and 5k machine how would you manage > authenticating issues? Keep in mind that this is a very heterogenous > environment with ldap, ftp, smtp, pop3, traditional unix boxes etc You've already got the key to that solution (LDAP). Do you mean things like provisioning and credential management? I've not used it, but you might want to look at FreeIPA. Although it uses KDC at the core, IIRC you can have LDAP-only clients authenticate to it. Once you have the core, then you need to look at the service-specific docs (your ftp server, MDA, etc) as to how to wire them into LDAP. Of course, with that many machines I hope you're already using some kind of automated provisioning for at least configuration (puppet, cfengine, etc). Devin
authentication infra structure
If you had about 10k users and 5k machine how would you manage authenticating issues? Keep in mind that this is a very heterogenous environment with ldap, ftp, smtp, pop3, traditional unix boxes etc
