:: Re: [DNG] Implementing directory se…
Forside
Slet denne besked
Besvar denne besked
Skribent: wirelessduck
Dato:  
Til: martin
CC: dng
Emne: Re: [DNG] Implementing directory services/Kerberos
On Fri, 9 Nov 2018 at 17:20, Martin Steigerwald <martin@???> wrote:
>
> Héctor González - 09.11.18, 00:02:
> > >> Quoting wirelessduck@??? (wirelessduck@???):
> > > [snip]
> > >
> > >>> So my next question is, whats the recommended package to
> > >>> authenticate
> > >>> with LDAP and allow users to login to a desktop via their LDAP
> > >>> account? I've seen various options for PAM and NSS, but do I need
> > >>> to
> > >>> configure both or just one?
> > >
> > > [snip]
> >
> > You can use libpam-ldap for this, it handles the authentication part.
> […]
> > There is also nslcd, which I remember using with samba-ad, as nscd
> > didn´t like that ldap for some reason, and it has a different config
> > file /etc/nslcd.conf
> >
> > I´d use nscd first, and if you run into trouble try nslcd.
>
> I suggest using nslcd with libpam-ldapd and libnss-ldapd. It has several
> advantages¹.


Yes, I've tried libnss-ldapd with libpam-ldapd and nslcd, and it seems
to be working fine for ldap-based logins. Thanks.

> Or use sssd, in case it can be installed without pulling libsystemd0 /
> systemd. But for that you'd need to create configuration file by hand.
> It is not very difficult, but it would configure with debconf questions
> like nslcd does.
>
> It may be an option to use 389 directory server instead of OpenLDAP.
> SUSE just made that move with SLES 15. And it has a GUI. I did not yet
> test it more thoroughly, so I have nothing more to say about it.


389 DS is part of the FreeIPA system, and my limited reading of it
previously was that it's not so fabulous when running on non-redhat
systems, hence why I decided to look at alternatives.

> Of course, if Kerberos is used, I'd use libpam-krb5, libpam-heimdal or
> libpam-shishi instead of libnss-ldapd. As nslcd recommends libpam-krb5,
> it might work together with it.


> Of course Samba as AD DC (ideally together with Heimdal instead of MIT
> Kerberos) is also an option.
>
> From what I saw with preparing training slides for all of these: I'd
> like something simpler, still secure for all of that. Kerberos and LDAP
> are hefty regarding their complexity.


Can kerberos integrate with an existing OpenLDAP database, or would I
have to maintain two separate user databases?

After a lot of reading, I'm still not sure how to implement Kerberos
properly with LDAP. A lot of guides show how to install kerberos as a
standalone system, and when they also say "kerberos is often used with
OpenLDAP" they always include the proviso "but we won't describe how
to do that in this guide".

Thanks,

--Tom