:: Re: [DNG] Implementing directory se…
Top Page
Delete this message
Reply to this message
Author: Martin Steigerwald
Date:  
To: dng
Subject: Re: [DNG] Implementing directory services/Kerberos
wirelessduck@??? - 12.11.18, 01:26:
> On Fri, 9 Nov 2018 at 17:20, Martin Steigerwald <martin@???>

wrote:
> > Héctor González - 09.11.18, 00:02:
> > > >> Quoting wirelessduck@??? (wirelessduck@???):

[…]
> > Or use sssd, in case it can be installed without pulling libsystemd0
> > / systemd. But for that you'd need to create configuration file by
> > hand. It is not very difficult, but it would configure with debconf
> > questions like nslcd does.
> >
> > It may be an option to use 389 directory server instead of OpenLDAP.
> > SUSE just made that move with SLES 15. And it has a GUI. I did not
> > yet test it more thoroughly, so I have nothing more to say about
> > it.
> 389 DS is part of the FreeIPA system, and my limited reading of it
> previously was that it's not so fabulous when running on non-redhat
> systems, hence why I decided to look at alternatives.


There are freeipa packages in Debian Unstable, but currently not in
testing. So maybe next Debian release has it, but depends on whether
maintainers can fix whatever the cause is why it is not in Testing right
now.

> > Of course, if Kerberos is used, I'd use libpam-krb5, libpam-heimdal
> > or libpam-shishi instead of libnss-ldapd. As nslcd recommends
> > libpam-krb5, it might work together with it.
> >
> > Of course Samba as AD DC (ideally together with Heimdal instead of
> > MIT Kerberos) is also an option.
> >
> > From what I saw with preparing training slides for all of these: I'd
> > like something simpler, still secure for all of that. Kerberos and
> > LDAP are hefty regarding their complexity.
>
> Can kerberos integrate with an existing OpenLDAP database, or would I
> have to maintain two separate user databases?


I have seen a module for Kerberos, I am not sure whether it was MIT or
Heimdal, to store Kerberos data in LDAP tree. I did not test it so far.

If it is not integrated, you have to create each user in LDAP and in
Kerberos. It should be possible to make password upgrades work in both
cases.

> After a lot of reading, I'm still not sure how to implement Kerberos
> properly with LDAP. A lot of guides show how to install kerberos as a
> standalone system, and when they also say "kerberos is often used
> with OpenLDAP" they always include the proviso "but we won't describe
> how to do that in this guide".


Well… that is one of the reason I am teaching this stuff in a course
here in Germany. There are some third party books about Kerberos that
may help. I did not order any so far, so can't say much more than that.

Ciao,
--
Martin