We use Kerberos, with LDAP (389DS) as our storage backend, which makes standing up Kerberos servers really easy, and keeps replication in perfect sync unlike normal Kerberos "replication". Together with SSSD and sudo-ldap this all makes a pretty powerful combination.
On RHEL/CentOS platforms, install krb5-server-ldap and configure /etc/krb5.conf accordingly:
[dbmodules]
REALM = {
db_library = kldap
ldap_kerberos_container_dn="dc=some,dc=container"
ldap_kdc_dn = "uid=kdc,cn=config"
ldap_kadmind_dn = "uid=kadmin,cn=config"
ldap_service_password_file = /var/kerberos/krb5kdc/realm/service.keyfile
ldap_servers = "ldaps://ldap1.realm ldaps://ldap0.realm ldaps://ldap2.realm"
}
Of course there's more to it, but you'll have to google the details, I can't remember the details off the top of my head. Create the appropriate LDAP credentials of course, as well as creating the LDAP service.keyfile ...
On Thu, Jan 9, 2014 at 12:42 PM, Paul Robert Marino <prmarino1@xxxxxxxxx> wrote:
have you considered using Kerberos instead of ssh keys?
its fairly transparent and doesn't require any patches.
On Thu, Jan 9, 2014 at 1:10 PM, Vesa Alho <listat@xxxxxxx> wrote:
>>> I'm just wondering if anyone has experience storing public keys in 389
>>> directory server to allow a user to login using an ssh-key rather than a
>>> password? I am running the server on Ubuntu 13.10 and the client is
>>> Ubuntu
>>> 12.04.
>
>
> Last time I checked it requires patched openssh-server for Ubuntu. Check
> this: https://marc.waeckerlin.org/computer/blog/ssh_and_ldap
>
> -Vesa
>
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
