Hello Paul!
On 9.1.2014 22:56, Paul Robert Marino wrote:
I agree FreeIPA is a good solution but it does have limitations
the one down side to it is you loose some flexibility with FreeIPA for
instance in in places where you may want strict security policy
separations like a web application farm or a larger enterprises with
many subsidiaries you may want to have multiple OU's with different
replication policies and security ACL's FreeIPA doesn't support that.
Could you elaborate what you miss in FreeIPA, please? We want to know what we
miss for which use cases...
Naturally, we can't add missing functionality if nobody tells us what is
missing and why it is useful! :-)
Thank you for your time.
Petr^2 Spacek
On a side note neither does the MIT kerberos V server strictly
speaking but you can workaround that by running multiple instances on
different ports or you can use a Heimdal kerberos V server.
On Thu, Jan 9, 2014 at 3:26 PM, Rob Crittenden <rcritten@xxxxxxxxxx> wrote:
Jonathan Vaughn wrote:
We use Kerberos, with LDAP (389DS) as our storage backend, which makes
standing up Kerberos servers really easy, and keeps replication in
perfect sync unlike normal Kerberos "replication". Together with SSSD
and sudo-ldap this all makes a pretty powerful combination.
On RHEL/CentOS platforms, install krb5-server-ldap and configure
/etc/krb5.conf accordingly:
[dbmodules]
REALM = {
db_library = kldap
ldap_kerberos_container_dn="dc=some,dc=container"
ldap_kdc_dn = "uid=kdc,cn=config"
ldap_kadmind_dn = "uid=kadmin,cn=config"
ldap_service_password_file =
/var/kerberos/krb5kdc/realm/service.keyfile
ldap_servers = "ldaps://ldap1.realm ldaps://ldap0.realm
ldaps://ldap2.realm"
}
Of course there's more to it, but you'll have to google the details, I
can't remember the details off the top of my head. Create the
appropriate LDAP credentials of course, as well as creating the LDAP
service.keyfile ...
As an aside, if you're interested in doing Kerberos and LDAP together with a
389-ds backend you may want to look at the FreeIPA project which handles a
lot of the integration for you. It also supports storing SSH keys.
rob
On Thu, Jan 9, 2014 at 12:42 PM, Paul Robert Marino <prmarino1@xxxxxxxxx
<mailto:prmarino1@xxxxxxxxx>> wrote:
have you considered using Kerberos instead of ssh keys?
its fairly transparent and doesn't require any patches.
On Thu, Jan 9, 2014 at 1:10 PM, Vesa Alho <listat@xxxxxxx
<mailto:listat@xxxxxxx>> wrote:
>>> I'm just wondering if anyone has experience storing public keys
in 389
>>> directory server to allow a user to login using an ssh-key
rather than a
>>> password? I am running the server on Ubuntu 13.10 and the client
is
>>> Ubuntu
>>> 12.04.
>
>
> Last time I checked it requires patched openssh-server for
Ubuntu. Check
> this: https://marc.waeckerlin.org/computer/blog/ssh_and_ldap
>
> -Vesa
--
Petr^2 Spacek
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
