Although I haven't done the work yet, I've been looking at this for a while.
On Fri, Apr 27, 2012 at 4:38 AM, "Paul DiSciascio" <[email protected]> wrote: > a. whether to use the traditional database backend or the ldap > backend, and the replication implications of this decision. I would recommend LDAP. I have a multi-master setup that spans several continents and works amazingly well. You can also use LDAP for additional user data and group membership information. > b. how to ensure users dont have problems with confusion between > local credentials and kerberos credentials The easy solutions is "no local credentials". But that means your kerberos must be ALWAYS available. > c. methods for allowing admins to log into servers for kerberos > triage Most unix systems have some way of defining logon classes so that specific people, by group membership or listed, have a different environment. I've used this on FreeBSD and Ubuntu Linux to allow admins access to a server but deny non-admins. Note that you need to have your PAM setup to use kerberos for authentication, but that is pretty easy to do. > d. use of specific encryption types if I want to consider a trust > with an AD realm some time down the road Last time I looked at this is wasn't possible. (Which is the reason I never actually implemented Kerberos.) I wanted to use OpenLDAP as an AD substitute but AD uses a super-secret key on it's Kerberos that I didn't have access to. In more recent testing it seems perfectly possible, even easy, to setup Kerberos to authenticate with AD without the use of OpenLDAP. -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
