:: Re: [DNG] Implementing directory se…
Forside
Slet denne besked
Besvar denne besked
Skribent: Martin Steigerwald
Dato:  
Til: dng
Emne: Re: [DNG] Implementing directory services/Kerberos
Héctor González - 09.11.18, 00:02:
> >> Quoting wirelessduck@??? (wirelessduck@???):
> > [snip]
> >
> >>> So my next question is, whats the recommended package to
> >>> authenticate
> >>> with LDAP and allow users to login to a desktop via their LDAP
> >>> account? I've seen various options for PAM and NSS, but do I need
> >>> to
> >>> configure both or just one?
> >
> > [snip]
>
> You can use libpam-ldap for this, it handles the authentication part.

[…]
> There is also nslcd, which I remember using with samba-ad, as nscd
> didn´t like that ldap for some reason, and it has a different config
> file /etc/nslcd.conf
>
> I´d use nscd first, and if you run into trouble try nslcd.


I suggest using nslcd with libpam-ldapd and libnss-ldapd. It has several
advantages¹.

Of course, if Kerberos is used, I'd use libpam-krb5, libpam-heimdal or
libpam-shishi instead of libnss-ldapd. As nslcd recommends libpam-krb5,
it might work together with it.

Or use sssd, in case it can be installed without pulling libsystemd0 /
systemd. But for that you'd need to create configuration file by hand.
It is not very difficult, but it would configure with debconf questions
like nslcd does.

It may be an option to use 389 directory server instead of OpenLDAP.
SUSE just made that move with SLES 15. And it has a GUI. I did not yet
test it more thoroughly, so I have nothing more to say about it.

Of course Samba as AD DC (ideally together with Heimdal instead of MIT
Kerberos) is also an option.

From what I saw with preparing training slides for all of these: I'd
like something simpler, still secure for all of that. Kerberos and LDAP
are hefty regarding their complexity.

[1] https://arthurdejong.org/nss-pam-ldapd/

Ciao,
--
Martin