[389-users] Developting a CentOS-DS setup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 2009-06-07 at 14:33 -0500, Doug Coats wrote:
> Thanks a ton John!  This certainly gives me somewhere to start.  Now I
> just need to figure out what parts Linux needs to authenticate to
> begin with.  Do I need SSL if all of my LDAP reequests are coming from
> internal servers?
<snip>
The bottom part of the plan should give you most of that information.
Some of the essential bits are in the clientsetup script we created and
I really shouldn't post that.  We do set up our users with
objectlclasses of posixaccount and ntuser (I believe that's correct). On
RedHat systems we also do something that I believe is technically
incorrect, we add a posixgroup objectclass to the users to account for
the personal group created by default.

To keep the IDs unique among all the systems, we enforce unique uid,
uidnumber, and gidnumber and, for other reasons in our multi-client
environment, cn.  This is one of the major reasons why we divide our DIT
at the top level between Internal objects (which must enforce this
uniqueness) and External objects (such as client contact lists) which do
not enforce that uniqueness.

At that point, one can use ldap.conf, nsswitch.conf, and the pam.d
modules (largely configured automatically by, oh I forget the package
name, I think it is authconfig - it's in the plan) to allow the Linux
systems to authenticate users against LDAP.

Certainly because we are a multi-client environment but even if we
weren't, we do not believe in the hard and crunchy outside, soft and
chewy inside security model.  The network revolution means the primary
attack vector is now on the inside of the network and not the outside.
Truth be told, it always was.  That's why we use SSL even on the
internal network.  If someone plants a protocol analyzer on the network,
with a little bit of ARP poisoning, there's nothing they can't see
traversing the wire.  That's why we launched the ISCS network security
project (http://iscs.sourceforge.net) and tend to "firepipe" rather than
firewall our networks.

Hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux