Re: [389-users] Migrating to LDAP authentication

2010-02-12 Thread Sean Carolan
> I misunderstood.  To that, I would've answered "don't," but if you want > to allow direct remote root access, that's your call. We don't allow this on production machines but there are a few back at the office that require root logins for some scripts and tools. Thanks again, this project is sha

Re: [389-users] Migrating to LDAP authentication

2010-02-12 Thread patrick . morris
On Fri, 12 Feb 2010, Sean Carolan wrote: > > Set up a local root user on every box.  I highly recommend not relying > > on LDAP for that, or you're a bit screwed if, for example, your network > > cable goes bad. > > Right, I just made my AllowGroups line look like this: > > AllowGroups root oper

Re: [389-users] Migrating to LDAP authentication

2010-02-12 Thread Sean Carolan
> Set up a local root user on every box.  I highly recommend not relying > on LDAP for that, or you're a bit screwed if, for example, your network > cable goes bad. Right, I just made my AllowGroups line look like this: AllowGroups root operations AllowUsers appears to trump AllowGroups so this

Re: [389-users] Migrating to LDAP authentication

2010-02-12 Thread Sean Carolan
> Is "invalid user" all you're seeing in the log? Generally, at least with > OpenSSH, if the user is being denied because it's not in a valid group, > the logs will say so. They'll also generally tell you if it's because it > couldn't find the user at all (often with exactly what it did to try to >

Re: [389-users] Migrating to LDAP authentication

2010-02-12 Thread patrick . morris
On Fri, 12 Feb 2010, Sean Carolan wrote: > > For example, we might have a group called "db-ssh" that defines a user > > group allowed to access database servers.  Then we just make sure DB > > hosts get "AllowGroups db-ssh" added to their SSH configs.  Plopping a > > user into the db-ssh group in

Re: [389-users] Migrating to LDAP authentication

2010-02-02 Thread Edward Capriolo
On Tue, Feb 2, 2010 at 8:57 PM, Steve Bernacki wrote: > On 2/2/2010 1:18 PM, Morris, Patrick wrote: >> [snip] >> We've found it a lot easier to manage than having to add an entry per >> host to user records, but then our servers tend to fall into >> easily-defined groups, which may not be the case

Re: [389-users] Migrating to LDAP authentication

2010-02-02 Thread Steve Bernacki
On 2/2/2010 1:18 PM, Morris, Patrick wrote: > [snip] > We've found it a lot easier to manage than having to add an entry per > host to user records, but then our servers tend to fall into > easily-defined groups, which may not be the case for everyone, and the > way we do it also relies on the only

Re: [389-users] Migrating to LDAP authentication

2010-02-02 Thread Morris, Patrick
Sean Carolan wrote: >> It's not clear to me what OS/distribution you're doing this on, but for >> the most part we have cfengine run authconfig on our Red Hat boxes to >> set up the basic LDAP auth (it's a one-liner if done that way), and then >> push around the sshd_config file. >> > > We hav

Re: [389-users] Migrating to LDAP authentication

2010-02-02 Thread Sean Carolan
> It's not clear to me what OS/distribution you're doing this on, but for > the most part we have cfengine run authconfig on our Red Hat boxes to > set up the basic LDAP auth (it's a one-liner if done that way), and then > push around the sshd_config file. We have a combination of centos and Red H

Re: [389-users] Migrating to LDAP authentication

2010-02-02 Thread Morris, Patrick
Sean Carolan wrote: >> This allows to to control who has access to the systems directly from >> ldap. Add the entitlement and they have access. Remove the entitlement >> and their access is revoked. >> >> My $0.02 CDN >> > > Terry, this is perfect, just what I was looking for. I like being

Re: [389-users] Migrating to LDAP authentication

2010-02-02 Thread Sean Carolan
> Perhaps some of you have gone down this path before and can offer some > helpful suggestions. I need to convert a group of servers to LDAP > authentication. Most of the user accounts on these systems have > consistent uids and gids across all the servers. One last question for the peanut galle

Re: [389-users] Migrating to LDAP authentication

2010-02-02 Thread Morris, Patrick
Sean Carolan wrote: >> Thanks for the info, the sshd_config file may be the way to go. We >> already use cfengine so it would be fairly easy to implement and push >> out to all our servers. >> > > Speaking of cfengine, I would like to use this to push out the > /etc/pam.d/system-auth and othe

Re: [389-users] Migrating to LDAP authentication

2010-02-02 Thread Sean Carolan
> This allows to to control who has access to the systems directly from > ldap.  Add the entitlement and they have access.  Remove the entitlement > and their access is revoked. > > My $0.02 CDN Terry, this is perfect, just what I was looking for. I like being able to control access from the LDAP

Re: [389-users] Migrating to LDAP authentication

2010-02-02 Thread Terry Soucy
We added an entitlement for all those users that need access to certain systems, but should not be able to access other systems ... We use the eduPerson schema, but I'll just give the basics ... On the users ldap record, add the entitlement hostEntitlement: hostname.company.com This is a multi-

Re: [389-users] Migrating to LDAP authentication

2010-02-02 Thread Sean Carolan
> Thanks for the info, the sshd_config file may be the way to go.  We > already use cfengine so it would be fairly easy to implement and push > out to all our servers. Speaking of cfengine, I would like to use this to push out the /etc/pam.d/system-auth and other files required for ldap authentica

Re: [389-users] Migrating to LDAP authentication

2010-02-02 Thread Morris, Patrick
Sean Carolan wrote: >> You can either continue as usual with an authorized_keys file in their >> home directories, or look at the LPK patch available for OpenSSH that >> allows storing public keys in LDAP. >> >> Having the users in LDAP has absolutely no effect on how key-based >> logins work with

Re: [389-users] Migrating to LDAP authentication

2010-02-02 Thread Sean Carolan
> You can either continue as usual with an authorized_keys file in their > home directories, or look at the LPK patch available for OpenSSH that > allows storing public keys in LDAP. > > Having the users in LDAP has absolutely no effect on how key-based > logins work with SSH, but it does open up s

Re: [389-users] Migrating to LDAP authentication

2010-02-02 Thread Morris, Patrick
Sean Carolan wrote: >> #2 >> a.there is also a setting in /etc/ldap.conf called pam_groupdn. This >> lets you define an LDAP object with multiple membe attributes to >> control who can login. I find it easy to use >> b. SSH can be told to only accept logins from a posix group (same deal >> just han

Re: [389-users] Migrating to LDAP authentication

2010-02-02 Thread Sean Carolan
> #2 > a.there is also a setting in /etc/ldap.conf called pam_groupdn. This > lets you define an LDAP object with multiple membe attributes to > control who can login. I find it easy to use > b. SSH can be told to only accept logins from a posix group (same deal > just handled at a different part o

Re: [389-users] Migrating to LDAP authentication

2010-02-02 Thread muzzol
2010/2/2 Sean Carolan : > Perhaps some of you have gone down this path before and can offer some > helpful suggestions.  I need to convert a group of servers to LDAP > authentication.  Most of the user accounts on these systems have > consistent uids and gids across all the servers.  There are a fe

[389-users] Migrating to LDAP authentication

2010-02-02 Thread Sean Carolan
Perhaps some of you have gone down this path before and can offer some helpful suggestions. I need to convert a group of servers to LDAP authentication. Most of the user accounts on these systems have consistent uids and gids across all the servers. There are a few exceptions but the people who