[wellylug] LDAP info

Anton anton.list at gmail.com
Tue Sep 18 10:33:36 NZST 2007 

On 18/09/2007, nic <nic at tymar.com> wrote:
> There's a bunch of users with Windows desktops, a Windows 2003 server, a Linux box with
> postfix and squid, people currently have separate passwords for logging on to Windows, in
> to mail, and on to squid. In addition some people have passwords for specialised network
> devices, and/or browser-based apps on some apache servers (typically written in PHP or
> Python, with source available), PPTP access and probably a million other things I've
> forgotten.
>
> LDAP is the thing that comes to mind when I think about ways of trying to manage this
> complexity and move towards a single sign on, (preferably using PKI rater than passwords,
> but that's another step). Trouble is, I don't really even know the questions to ask to get
> me on the way, hence the ill-defined nature of the original post.
>
> Does LDAP sound like the right type of tool to use in this case? Is it better to use the
> Windows AD LDAP, or a separate server? Am I being naive in thinking it would be possible
> to get down to a single authentication system and a single password/key for the majority
> of users? has anyone out there done this sort of thing and are they willing to sell/give
> some advice?

LDAP strictly speaking isn't for authentication, even though it can be
twisted into doing that due to LDAP servers having their own internal
permissions. LDAP is intended as a centralised hierarchical directory
storing information about your users eg uids, gids, home directories,
shells, phone numbers etc.

I have had some success in the past with setting up Kerberos 5 with
PAM and kerberised nss_ldap (using GSSAPI instead of TLS certs), and
kerberised openssh for single sign on for Linux computers in an Active
Directory (with MS Services for Unix) network.

So Kerberos is the key to centralised cross platform authentication.
nss_ldap is needed for picking up centralised uids etc from LDAP -
otherwise the same Kerberos user will have different uids on different
machines. Managing Unix users in AD was pretty seemless, but creating
Kerberos credentials for the actual Linux machines themselves was a
bit clunky.

So it can be done 'natively' without using Samba, but Samba is
probably easier to set up. It was a fair bit of effort to figure it
all out. I had to build custom nss_ldap modules to get the GSSAPI
stuff enabled. But I think the latest Debian version have those
options enabled by default now.

Stuff I didn't get around to playing with, but that theoretically
should be doable:

Using GSSAPI/SPNEGO to get Firefox (on both Windows and Linux) and IE
transparently authenticating over HTTP to IIS/ISA/Apache/Squid etc.
Firefox needs a little config tweak to enable SPNEGO over non HTTPS
connections. Theoretically the various GSSAPI modules for Apache work
though.

Good luck :)

-- 
Cheers
Anton

More information about the wellylug mailing list