Re: [DNG] Implementing directory services/Kerberos
wirelessd...@gmail.com - 12.11.18, 01:26: > On Fri, 9 Nov 2018 at 17:20, Martin Steigerwald wrote: > > Héctor González - 09.11.18, 00:02: > > > >> Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): […] > > Or use sssd, in case it can be installed without pulling libsystemd0 > > / systemd. But for that you'd need to create configuration file by > > hand. It is not very difficult, but it would configure with debconf > > questions like nslcd does. > > > > It may be an option to use 389 directory server instead of OpenLDAP. > > SUSE just made that move with SLES 15. And it has a GUI. I did not > > yet test it more thoroughly, so I have nothing more to say about > > it. > 389 DS is part of the FreeIPA system, and my limited reading of it > previously was that it's not so fabulous when running on non-redhat > systems, hence why I decided to look at alternatives. There are freeipa packages in Debian Unstable, but currently not in testing. So maybe next Debian release has it, but depends on whether maintainers can fix whatever the cause is why it is not in Testing right now. > > Of course, if Kerberos is used, I'd use libpam-krb5, libpam-heimdal > > or libpam-shishi instead of libnss-ldapd. As nslcd recommends > > libpam-krb5, it might work together with it. > > > > Of course Samba as AD DC (ideally together with Heimdal instead of > > MIT Kerberos) is also an option. > > > > From what I saw with preparing training slides for all of these: I'd > > like something simpler, still secure for all of that. Kerberos and > > LDAP are hefty regarding their complexity. > > Can kerberos integrate with an existing OpenLDAP database, or would I > have to maintain two separate user databases? I have seen a module for Kerberos, I am not sure whether it was MIT or Heimdal, to store Kerberos data in LDAP tree. I did not test it so far. If it is not integrated, you have to create each user in LDAP and in Kerberos. It should be possible to make password upgrades work in both cases. > After a lot of reading, I'm still not sure how to implement Kerberos > properly with LDAP. A lot of guides show how to install kerberos as a > standalone system, and when they also say "kerberos is often used > with OpenLDAP" they always include the proviso "but we won't describe > how to do that in this guide". Well… that is one of the reason I am teaching this stuff in a course here in Germany. There are some third party books about Kerberos that may help. I did not order any so far, so can't say much more than that. Ciao, -- Martin ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): > nslcd appears to be working fine here now. I don't think I need to > fiddle with any nscd settings at this point in time. nscd is a cache for (a configuable subset of) numerous types of names, including /etc/passwd, /etc/group, /etc/hosts, /etc/services and /etc/netgroup (but pointedly not /etc/shadow) as called through standard libc interfaces, such as getpwnam(3), getpwuid(3), getgrnam(3), getgrgid(3), gethostbyname(3), and others. Some time back (it stuck in memory because of being a striking failure[1]), nscd had a longtime implementation flaw where it disregarded TTL (time to live) values on cached DNS reference records, so I'm _still_ not thrilled with the notion of entrusting the 'hosts' caching function to it. Were I to do a significant deployment today, I'd spare a moment to look into alternatives, like, obviously, Unbound / dncsache / pdns-recursor, Deadwood (which albeit much more than just a cache, also don't raise code-quality conerns) -- or maybe just dnsmasq[2]. FWIW, nscd author (and former glibc maintainer) Ulrich Drepper disapproves of views like mine and Kyle Rankin's. https://udrepper.livejournal.com/16362.html [1] nscd has cached TTL since a 2004 source code check-in, but it's appalling that the ability was missing even that long -- not to mention difficulty getting it right, e.g. 2010 bug here: https://bugzilla.redhat.com/show_bug.cgi?id=656014 [2] https://www.linuxjournal.com/content/localhost-dns-cache ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
On Fri, 9 Nov 2018 at 17:20, Martin Steigerwald wrote: > > Héctor González - 09.11.18, 00:02: > > >> Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): > > > [snip] > > > > > >>> So my next question is, whats the recommended package to > > >>> authenticate > > >>> with LDAP and allow users to login to a desktop via their LDAP > > >>> account? I've seen various options for PAM and NSS, but do I need > > >>> to > > >>> configure both or just one? > > > > > > [snip] > > > > You can use libpam-ldap for this, it handles the authentication part. > […] > > There is also nslcd, which I remember using with samba-ad, as nscd > > didn´t like that ldap for some reason, and it has a different config > > file /etc/nslcd.conf > > > > I´d use nscd first, and if you run into trouble try nslcd. > > I suggest using nslcd with libpam-ldapd and libnss-ldapd. It has several > advantages¹. Yes, I've tried libnss-ldapd with libpam-ldapd and nslcd, and it seems to be working fine for ldap-based logins. Thanks. > Or use sssd, in case it can be installed without pulling libsystemd0 / > systemd. But for that you'd need to create configuration file by hand. > It is not very difficult, but it would configure with debconf questions > like nslcd does. > > It may be an option to use 389 directory server instead of OpenLDAP. > SUSE just made that move with SLES 15. And it has a GUI. I did not yet > test it more thoroughly, so I have nothing more to say about it. 389 DS is part of the FreeIPA system, and my limited reading of it previously was that it's not so fabulous when running on non-redhat systems, hence why I decided to look at alternatives. > Of course, if Kerberos is used, I'd use libpam-krb5, libpam-heimdal or > libpam-shishi instead of libnss-ldapd. As nslcd recommends libpam-krb5, > it might work together with it. > Of course Samba as AD DC (ideally together with Heimdal instead of MIT > Kerberos) is also an option. > > From what I saw with preparing training slides for all of these: I'd > like something simpler, still secure for all of that. Kerberos and LDAP > are hefty regarding their complexity. Can kerberos integrate with an existing OpenLDAP database, or would I have to maintain two separate user databases? After a lot of reading, I'm still not sure how to implement Kerberos properly with LDAP. A lot of guides show how to install kerberos as a standalone system, and when they also say "kerberos is often used with OpenLDAP" they always include the proviso "but we won't describe how to do that in this guide". Thanks, --Tom ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
On Fri, 9 Nov 2018 at 10:02, Héctor González wrote: > > > >> Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): > > [snip] > >>> So my next question is, whats the recommended package to authenticate > >>> with LDAP and allow users to login to a desktop via their LDAP > >>> account? I've seen various options for PAM and NSS, but do I need to > >>> configure both or just one? > > [snip] > > You can use libpam-ldap for this, it handles the authentication part. > NSS is used to "populate" your passwd and group files from ldap, if you > need it. Your users will work with just the PAM part, but It´s easier > to use NSS so you can change permissions using usernames instead of > UIDs. > > A "getent passwd user" will require libnss-ldap (and a working > /etc/libnss-ldap.conf which should be autogenerated) > > If you choose to use nscd, you should replace the suggested-size passwd > option with a sufficient size for your expected amount of users, the > manual says it is a hash table, so it should be a prime number bigger > than double the amount of expected users -hint, the primes package from > bsdgames can find primes for you). > > nscd acts as a cache for nss calls so you don´t flood your ldap server > with queries. > > There is also nslcd, which I remember using with samba-ad, as nscd > didn´t like that ldap for some reason, and it has a different config > file /etc/nslcd.conf > > I´d use nscd first, and if you run into trouble try nslcd. > Thanks, nslcd appears to be working fine here now. I don't think I need to fiddle with any nscd settings at this point in time. --Tom -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
On Sat, 10 Nov 2018 at 15:45, Rick Moen wrote: > > Quoting H??ctor Gonz??lez (ca...@genac.org): > > > There is also nslcd, which I remember using with samba-ad, as nscd > > didn´t like that ldap for some reason, and it has a different > > config file /etc/nslcd.conf > > > > I´d use nscd first, and if you run into trouble try nslcd. > > Again, back when I implemented this stuff using CentOS 6.x, you needed > both for some daft reason. > Yes, I went with libnss-ldapd and it pulled in libpam-ldapd, nslcd, and nscd, so it would appear that both are required. nslcd seems to provide the configuration file /etc/nslcd.conf that is used by both libnss-ldapd and libpam-ldapd while nscd seems to be doing the caching side of things. --Tom ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
Quoting H??ctor Gonz??lez (ca...@genac.org): > There is also nslcd, which I remember using with samba-ad, as nscd > didn´t like that ldap for some reason, and it has a different > config file /etc/nslcd.conf > > I´d use nscd first, and if you run into trouble try nslcd. Again, back when I implemented this stuff using CentOS 6.x, you needed both for some daft reason. -- Cheers, I could maybe do one pilate. Rick Moen -- Matt Watson (@biorhythmist) r...@linuxmafia.com McQ! (4x80) ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
Hi All, > >> Quoting wirelessduck@??? (wirelessduck@???): > > [snip] > > > >>> So my next question is, whats the recommended package to > >>> authenticate > >>> with LDAP and allow users to login to a desktop via their LDAP > >>> account? I've seen various options for PAM and NSS, but do I need > >>> to > >>> configure both or just one? > > > > [snip] > > You can use libpam-ldap for this, it handles the authentication part. […] > There is also nslcd, which I remember using with samba-ad, as nscd > didn´t like that ldap for some reason, and it has a different config > file /etc/nslcd.conf > > I´d use nscd first, and if you run into trouble try nslcd. I had a similar requirement but only for the hell of it for several machines at home. All Debian (at the time) with NFS homes. It made installing/upgrading the clients very easy. There are several guides on the net but the one I found most useful for me (the uninitiated) were the pages at spinlock (no affiliation). http://techpubs.spinlocksolutions.com/dklar/kerberos.html These pages give a bit more explaination and debugging help than the Debian and Ubuntu references. The order of installation and testing of the components is particularly helpful. -- Best Regards Martin Hodges ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
Héctor González - 09.11.18, 00:02: > >> Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): > > [snip] > > > >>> So my next question is, whats the recommended package to > >>> authenticate > >>> with LDAP and allow users to login to a desktop via their LDAP > >>> account? I've seen various options for PAM and NSS, but do I need > >>> to > >>> configure both or just one? > > > > [snip] > > You can use libpam-ldap for this, it handles the authentication part. […] > There is also nslcd, which I remember using with samba-ad, as nscd > didn´t like that ldap for some reason, and it has a different config > file /etc/nslcd.conf > > I´d use nscd first, and if you run into trouble try nslcd. I suggest using nslcd with libpam-ldapd and libnss-ldapd. It has several advantages¹. Of course, if Kerberos is used, I'd use libpam-krb5, libpam-heimdal or libpam-shishi instead of libnss-ldapd. As nslcd recommends libpam-krb5, it might work together with it. Or use sssd, in case it can be installed without pulling libsystemd0 / systemd. But for that you'd need to create configuration file by hand. It is not very difficult, but it would configure with debconf questions like nslcd does. It may be an option to use 389 directory server instead of OpenLDAP. SUSE just made that move with SLES 15. And it has a GUI. I did not yet test it more thoroughly, so I have nothing more to say about it. Of course Samba as AD DC (ideally together with Heimdal instead of MIT Kerberos) is also an option. From what I saw with preparing training slides for all of these: I'd like something simpler, still secure for all of that. Kerberos and LDAP are hefty regarding their complexity. [1] https://arthurdejong.org/nss-pam-ldapd/ Ciao, -- Martin ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): [snip] So my next question is, whats the recommended package to authenticate with LDAP and allow users to login to a desktop via their LDAP account? I've seen various options for PAM and NSS, but do I need to configure both or just one? [snip] You can use libpam-ldap for this, it handles the authentication part. NSS is used to "populate" your passwd and group files from ldap, if you need it. Your users will work with just the PAM part, but It´s easier to use NSS so you can change permissions using usernames instead of UIDs. A "getent passwd user" will require libnss-ldap (and a working /etc/libnss-ldap.conf which should be autogenerated) If you choose to use nscd, you should replace the suggested-size passwd option with a sufficient size for your expected amount of users, the manual says it is a hash table, so it should be a prime number bigger than double the amount of expected users -hint, the primes package from bsdgames can find primes for you). nscd acts as a cache for nss calls so you don´t flood your ldap server with queries. There is also nslcd, which I remember using with samba-ad, as nscd didn´t like that ldap for some reason, and it has a different config file /etc/nslcd.conf I´d use nscd first, and if you run into trouble try nslcd. -- Hector Gonzalez ca...@genac.org ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
Quoting Rowland Penny (rpe...@samba.org): > I will say it again (and yes, I might be biased here) A samba AD DC > will do all of the above without all of the complexity of setting up > LDAP and then extending it to just install users and groups. Very good point, Rowland. The constraints my employer was on at the time dictated a specific form for the solution, and the current querent doesn't seem to have that problem, so indeed he could save quite a bit of trouble by following your advice. -- Cheers, "A recursive .sig Rick Moen Can impart wisdom and truth. r...@linuxmafia.com Call proc signature()" McQ! (4x80) -- WalkingTheWalk on Slashdot ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
On Thu, 8 Nov 2018 11:12:16 -0800 Rick Moen wrote: > Redirecting back on-list. > > Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): > > > On Mon, 3 Sep 2018 at 13:47, Rick Moen wrote: > > > > > > Anyway, it's been a _long_ time since I dealt with all of that > > > badness, so I'm probably forgetting a lot. This looks like a > > > decent starting point: https://wiki.debian.org/LDAP/Kerberos > > > (except it has little to say about AD integration). > > > > Thanks, > > Yr. welcome, Tom. > > > As there will be no Windows machines on this network, I don't have > > any requirement for AD integration. I probably should have > > clarified that further in the original email. > > Ah, that does indeed simplify things. > > > After a couple of months of head-banging and much googling of > > various docs, blogs, etc., I think I've finally managed to setup two > > replicating OpenLDAP servers talking to each other over TLS. :D > > LDIF is much less confusing now than it originally appeared to be, > > thanks to the excellent reference at http://zytrax.com/books/ldap/. > > The ldapscripts package is also working nicely in a simple way to > > add users and groups, although I'm not entirely sure why I would add > > machines to LDAP, unless I use those accounts for binding services? > > Offhand, I don't think that'd be useful, no. > > As I see it, part of what's both really useful and really annoying > about LDAP is that it was designed as an _extremely general_ > implementation of the X.500 directory management standard. So, it'll > happily inhale the kitchen sink of all possible information about > everything in the enterprise. Therefore, you often find yourself > saying 'Yes, I could do _this_ thing with it, too, but what would be > the point? I have no use-case for doing that.' The trick is to > realise that the 'But _why_?' reaction is normal and doesn't > necessarily mean you missed something significant. > > > So my next question is, whats the recommended package to > > authenticate with LDAP and allow users to login to a desktop via > > their LDAP account? I've seen various options for PAM and NSS, but > > do I need to configure both or just one? > > Tom, ten years ago and two major employers ago, I would have been glad > to send you example configurations from what I and the other senior SA > at $FIRM somewhat painfully figured out at that time. I'm really > sorry, but I just no longer have that anywhere. > > I remember that you very much needed a PAM hook, because you're > introducing a new and preferred authentication method for shell login. > Offhand, I can't remember exactly _how_ NSS is part of this picture > (being about name services, e.g., names of hosts), but NSS and PAM > are pretty intertwined. > > I remember that each machine needed a rather painfully worked out > ldap.conf file. I vaguely recall the need to have a self-signed X.509 > certificate. Each machine needed to run the nscd and nslcd daemons: > The latter was a new, surprising requirement introduced as of CentOS > 6.x (which was then new) -- though there is also an alternative > called sssd: > https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02791157 > > And there, I'm afraid, we've now exhausted what I can easily remember > after so many years of not needing to know it. I hope that helps. > > > Should I be diving into the world of Kerberos and attempting to > > integrate that with my OpenLDAP servers, or is it fine to just > > authenticate via LDAP? > > IIRC, $FIRM didn't end up having to develop Kerberos infrastructure > just to deploy user authentication against LDAP directory services > back-ended in OpenLDAP. It sufficed for our needs to rely on X.509 > SSL certs as a 'shared secret'. However, you decide what the local > degree of paranoia requires. > > Beyond user shell authentication against LDAP, one can also tweak > other applications where user authentication is relevant to do so as > well, e.g., Web-based services backed by Apache HTTPd (and thus > entailing plumbing added to the Apache conffiles). Bear that in mind > if relevant to your use-case. > I will say it again (and yes, I might be biased here) A samba AD DC will do all of the above without all of the complexity of setting up LDAP and then extending it to just install users and groups. Rowland ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
On 11/8/18 9:12 PM, Rick Moen wrote: > Redirecting back on-list. > > Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): [snip] >> So my next question is, whats the recommended package to authenticate >> with LDAP and allow users to login to a desktop via their LDAP >> account? I've seen various options for PAM and NSS, but do I need to >> configure both or just one? [snip] > I remember that you very much needed a PAM hook, because you're > introducing a new and preferred authentication method for shell login. > Offhand, I can't remember exactly _how_ NSS is part of this picture > (being about name services, e.g., names of hosts), but NSS and PAM > are pretty intertwined. [snip] If you are using keys for authentication then you would not need PAM, I think. Using the AuthorizedKeysCommand directive to make an LDAP query and retrieve the public key ought to be enough. There is an example in this README file: https://github.com/reyk/ldapclient Apologies for using a Github link. /Lars ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
Redirecting back on-list. Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): > On Mon, 3 Sep 2018 at 13:47, Rick Moen wrote: > > > > Anyway, it's been a _long_ time since I dealt with all of that badness, > > so I'm probably forgetting a lot. This looks like a decent starting > > point: https://wiki.debian.org/LDAP/Kerberos (except it has little to > > say about AD integration). > > Thanks, Yr. welcome, Tom. > As there will be no Windows machines on this network, I don't have any > requirement for AD integration. I probably should have clarified that > further in the original email. Ah, that does indeed simplify things. > After a couple of months of head-banging and much googling of various > docs, blogs, etc., I think I've finally managed to setup two > replicating OpenLDAP servers talking to each other over TLS. :D > LDIF is much less confusing now than it originally appeared to be, > thanks to the excellent reference at http://zytrax.com/books/ldap/. > The ldapscripts package is also working nicely in a simple way to add > users and groups, although I'm not entirely sure why I would add > machines to LDAP, unless I use those accounts for binding services? Offhand, I don't think that'd be useful, no. As I see it, part of what's both really useful and really annoying about LDAP is that it was designed as an _extremely general_ implementation of the X.500 directory management standard. So, it'll happily inhale the kitchen sink of all possible information about everything in the enterprise. Therefore, you often find yourself saying 'Yes, I could do _this_ thing with it, too, but what would be the point? I have no use-case for doing that.' The trick is to realise that the 'But _why_?' reaction is normal and doesn't necessarily mean you missed something significant. > So my next question is, whats the recommended package to authenticate > with LDAP and allow users to login to a desktop via their LDAP > account? I've seen various options for PAM and NSS, but do I need to > configure both or just one? Tom, ten years ago and two major employers ago, I would have been glad to send you example configurations from what I and the other senior SA at $FIRM somewhat painfully figured out at that time. I'm really sorry, but I just no longer have that anywhere. I remember that you very much needed a PAM hook, because you're introducing a new and preferred authentication method for shell login. Offhand, I can't remember exactly _how_ NSS is part of this picture (being about name services, e.g., names of hosts), but NSS and PAM are pretty intertwined. I remember that each machine needed a rather painfully worked out ldap.conf file. I vaguely recall the need to have a self-signed X.509 certificate. Each machine needed to run the nscd and nslcd daemons: The latter was a new, surprising requirement introduced as of CentOS 6.x (which was then new) -- though there is also an alternative called sssd: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02791157 And there, I'm afraid, we've now exhausted what I can easily remember after so many years of not needing to know it. I hope that helps. > Should I be diving into the world of Kerberos and attempting to > integrate that with my OpenLDAP servers, or is it fine to just > authenticate via LDAP? IIRC, $FIRM didn't end up having to develop Kerberos infrastructure just to deploy user authentication against LDAP directory services back-ended in OpenLDAP. It sufficed for our needs to rely on X.509 SSL certs as a 'shared secret'. However, you decide what the local degree of paranoia requires. Beyond user shell authentication against LDAP, one can also tweak other applications where user authentication is relevant to do so as well, e.g., Web-based services backed by Apache HTTPd (and thus entailing plumbing added to the Apache conffiles). Bear that in mind if relevant to your use-case. -- Cheers, I could maybe do one pilate. Rick Moen -- Matt Watson (@biorhythmist) r...@linuxmafia.com McQ! (4x80) ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
On Thu, 8 Nov 2018 12:04:53 +1100 wirelessd...@gmail.com wrote: > On Mon, 3 Sep 2018 at 17:37, Rowland Penny wrote: > > > > On Mon, 3 Sep 2018 10:34:50 +1000 > > wirelessd...@gmail.com wrote: > > > > > I’m looking to setup some sort of directory services/network > > > authentication for users on a small corporate network running > > > Devuan Ascii. Is it recommended to use Kerberos+LDAP? > > > > > > Are there any good tutorials out there for setting this up and > > > explaining how it works? Where do people learn this stuff if they > > > have no one else to learn from on the job? > > > > > > I have a small amount of experience using Active Directory on a > > > windows network and connecting some Linux servers to that with > > > winbind but no direct experience in managing LDAP or Kerberos > > > directly. > > > > > > I have also taken a look at FusionDirectory and it looks > > > relatively simple to use. Does anyone have experience/advice with > > > this or other management interfaces? Implementing plain OpenLDAP > > > and Kerberos directly looked incredibly complex and confusing > > > when I attempted to read some of their documentation a while back. > > > > > > Thanks > > > > > > —Tom > > > ___ > > > Dng mailing list > > > Dng@lists.dyne.org > > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > > > > Seeing as you have some experience with Active Directory, why not > > use Active Directory, but not from Windows, from Samba. > > > > Try having a look here: > > > > https://wiki.samba.org/index.php/Main_Page > > > > Rowland > > As I have no experience administering either AD or OpenLDAP, and this > network will be entirely Linux machines, I have decided to go with > OpenLDAP. Thanks for the suggestion though, and I would most likely > use Samba if it was a Linux+Windows network. > > --Tom I don't have any windows machines either, but it is your choice, just don't try adding Samba into the mix. Rowland ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
On September 2, 2018 7:34:50 PM CDT, wirelessd...@gmail.com wrote: :: I’m looking to setup some sort of directory services/network :: authentication for users on a small corporate network running Devuan :: Ascii. Is it recommended to use Kerberos+LDAP? :: :: Are there any good tutorials out there for setting this up and :: explaining how it works? Where do people learn this stuff if they :: have no one else to learn from on the job? :: :: I have a small amount of experience using Active Directory on a :: windows network and connecting some Linux servers to that with :: winbind but no direct experience in managing LDAP or Kerberos :: directly. :: :: I have also taken a look at FusionDirectory and it looks relatively :: simple to use. Does anyone have experience/advice with this or other :: management interfaces? Implementing plain OpenLDAP and Kerberos :: directly looked incredibly complex and confusing when I attempted to :: read some of their documentation a while back. :: :: Thanks :: :: —Tom :: ___ :: Dng mailing list :: Dng@lists.dyne.org :: https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng I've used this[1] setup when user accounts are in AD and I want auth users in Linux via PAM. You need a service account in AD that the saslauthd daemon can use to handle the password traffic and then provision all your user accounts in openldap. This works without needing samba, or SSSD, or Kerberos. Additionally, if AD falls over for some reason, you just change the userPassword attribute in openldap from {SASL}user@realm, to a bonafide {SSHA}gobbledeegook and users can auth again. [1] https://blogs.msdn.microsoft.com/alextch/2012/04/25/configuring-openldap-pass-through-authentication-to-active-directory/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
On Mon, 3 Sep 2018 10:34:50 +1000 wirelessd...@gmail.com wrote: > I’m looking to setup some sort of directory services/network > authentication for users on a small corporate network running Devuan > Ascii. Is it recommended to use Kerberos+LDAP? > > Are there any good tutorials out there for setting this up and > explaining how it works? Where do people learn this stuff if they > have no one else to learn from on the job? > > I have a small amount of experience using Active Directory on a > windows network and connecting some Linux servers to that with > winbind but no direct experience in managing LDAP or Kerberos > directly. > > I have also taken a look at FusionDirectory and it looks relatively > simple to use. Does anyone have experience/advice with this or other > management interfaces? Implementing plain OpenLDAP and Kerberos > directly looked incredibly complex and confusing when I attempted to > read some of their documentation a while back. > > Thanks > > —Tom > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Seeing as you have some experience with Active Directory, why not use Active Directory, but not from Windows, from Samba. Try having a look here: https://wiki.samba.org/index.php/Main_Page Rowland ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
On 09/02/2018 08:47 PM, Rick Moen wrote: Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): I’m looking to setup some sort of directory services/network authentication for users on a small corporate network running Devuan Ascii. Is it recommended to use Kerberos+LDAP? Heh, a bit over ten years ago, I designed a full-blown corporate single sign-on system using OpenLDAP with self-signed SSL certs and no Kerberos at my then-firm, using CentOS 5 stuff. I no longer had all the materials (because I no longer work there), but will say that getting it right was extremely fiddly, even with all the Internet tutorials supposedly explaining how to do it. >8 Snippage - 8< I hate to snip Drew, but I get yelled at when I don't snip long-ish if informative postings I've not done the OpenLDAP/AD sync, but I fairly routinely do Linux authentication via PAM/AD integration (there is a cool pam module called oddjob that will do home directory creation/mounting and other housekeeping)... I've even done Apache auth via PAM/AD integration. The trickiest part I found is being sure ALL the boxes use the same time base. It doesn't take a lot of time difference to screw up kerberos and Windows admins like to think their AD servers are a good enough time base too. Most of the time it is... and then it will bite you really, really hard. I also have seen some custom apps that didn't retrieve all of the group membership information from PAM/AD even when the id command did (but we're using the same system call). That one took weeks to find and even longer to get fixed. I've recently become aware of and am looking at trying FreeIPA because it has a lot of pre-done stuff I want... *IX auth/authorization/accounting, Samba4/Windows user schema, address book application schema that Thunderbird can use (I hate making copies of MAB files... Error prone and lossy). Under the hood, it's using a lot of stock standard OSS stuff... Like so much today, it look's like a collection of giant lego blocks. I'll let y'all know ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): > I’m looking to setup some sort of directory services/network authentication > for users on a small corporate network running Devuan Ascii. Is it > recommended to use Kerberos+LDAP? Heh, a bit over ten years ago, I designed a full-blown corporate single sign-on system using OpenLDAP with self-signed SSL certs and no Kerberos at my then-firm, using CentOS 5 stuff. I no longer had all the materials (because I no longer work there), but will say that getting it right was extremely fiddly, even with all the Internet tutorials supposedly explaining how to do it. Because the firm had Active Directory for the Windows side of things including Exchange Server, I first wrote up a white paper to make sure the CTO knew he had to make an important strategic choice: Because AD relied on proprietary extensions to Kerberos, the firm could _either_ slave OpenLDAP servers off AD and maintain the whole directory off the Windows side, or could create a separate schema and database entirely within OpenLDAP for the firm's hundreds of Linux and Solaris machines _only_ that was distinct from (did not coordinate data with) the AD directory. I believe there were also a couple of further alternative involving proprietary software for Linux that attempted to bridge in some fashion the sharing chasm. The CTO approved the second options, having the firm's Linux & Solaris machines participate in a single sign-on system unconnected to AD. Being wary of trouble, I made sure my change control documentation made this matter clear, that this rollout would _not_ be interconnected to AD. Mid-morning, I sent out the announcement e-mail and started checking in my code. Immediately, I got an urgent directive to the Chief Operating Officer to _stop_. Which, of course, I did. The COO had what apparently was a fiery discussion with the CTO, thankfully above my paygrade, and I was directed to throw away my work and design/test/rollout a redesign to slave OpenLDAP servers off AD, and then authenticate signon for Linux/Solaris machines to the OpenLDAP servers. Just as with the earlier project, getting this right was a little painful. Unless things have changed a lot in ten years, expect to spend some time at it. > I have also taken a look at FusionDirectory and it looks relatively > simple to use. Looks like a nice little Web-based directory browser. Unless I'm missing something important, that does nothing to solve the larger problem of setting up the underlying LDAP software, schema, and contents. Anyway, it's been a _long_ time since I dealt with all of that badness, so I'm probably forgetting a lot. This looks like a decent starting point: https://wiki.debian.org/LDAP/Kerberos (except it has little to say about AD integration). ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng