FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 06-12-2008, 07:15 PM
Jan Frode Myklebust
 
Default fds + kerberos

I have fds set up for user management, and have kerberos set
up for authentication, but am a bit uncertain if I'm now finished,
or if fds+kerberos are supposed to be better integrated.

Is the normal procedure for managing users:

- add user info to the directory (ldapadd)
- create user principal (addprinc username)

Or can the creation of user principal be automatically created
from within fds when we create users there ?


-jf

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-12-2008, 07:45 PM
Rich Megginson
 
Default fds + kerberos

Jan Frode Myklebust wrote:

I have fds set up for user management, and have kerberos set
up for authentication, but am a bit uncertain if I'm now finished,
or if fds+kerberos are supposed to be better integrated.


Is the normal procedure for managing users:

- add user info to the directory (ldapadd)
- create user principal (addprinc username)

Or can the creation of user principal be automatically created
from within fds when we create users there ?

freeipa.org is a project dedicated to answering this and other similar
ldap+kerberos questions.


-jf

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-13-2008, 11:49 AM
Jan Frode Myklebust
 
Default fds + kerberos

On 2008-06-12, Rich Megginson <rmeggins@redhat.com> wrote:
>> Is the normal procedure for managing users:
>>
>> - add user info to the directory (ldapadd)
>> - create user principal (addprinc username)
>>
>> Or can the creation of user principal be automatically created
>> from within fds when we create users there ?
>>
> freeipa.org is a project dedicated to answering this and other similar
> ldap+kerberos questions.

That felt a bit like an "Active Directory is a solution that does what
you're trying to do, why don't you just use that" answer.. ;-)

I know about freeipa.org, have read most of the documentation and even
lightly tested it. But, freeipa expects you to add/manipulate users trough
a webgui, or specialized freeipa-commands. That doesn't tell me much
about what's happening behind the scene..

Also, we already have an identity management solution deployed (Sun Identity
Manager), so my question is mostly if it should just update the directory
server, and have the directory server create the kerberos principals. Or if
it needs to know about both resources, and keep them both in sync.


-jf

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-13-2008, 01:20 PM
Rich Megginson
 
Default fds + kerberos

Jan Frode Myklebust wrote:

On 2008-06-12, Rich Megginson <rmeggins@redhat.com> wrote:


Is the normal procedure for managing users:

- add user info to the directory (ldapadd)
- create user principal (addprinc username)

Or can the creation of user principal be automatically created
from within fds when we create users there ?


freeipa.org is a project dedicated to answering this and other similar
ldap+kerberos questions.



That felt a bit like an "Active Directory is a solution that does what
you're trying to do, why don't you just use that" answer.. ;-)

Well, if you are just starting out with Fedora DS + Kerberos, that would
be the way to go - but since you're not . . .

I know about freeipa.org, have read most of the documentation and even
lightly tested it. But, freeipa expects you to add/manipulate users trough
a webgui, or specialized freeipa-commands. That doesn't tell me much
about what's happening behind the scene..


Also, we already have an identity management solution deployed (Sun Identity
Manager), so my question is mostly if it should just update the directory
server, and have the directory server create the kerberos principals. Or if
it needs to know about both resources, and keep them both in sync.

. . . you have to know about both resources, and keep them both in
sync. I don't know much about Sun Identity Manager - perhaps it has
tools to help you do this.


-jf

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-13-2008, 03:46 PM
Jan Frode Myklebust
 
Default fds + kerberos

On 2008-06-13, Rich Megginson <rmeggins@redhat.com> wrote:
>>
>> That felt a bit like an "Active Directory is a solution that does what
>> you're trying to do, why don't you just use that" answer.. ;-)
>>
> Well, if you are just starting out with Fedora DS + Kerberos, that would
> be the way to go - but since you're not . . .

Yea, it looks like a very promising project. Unfortunately (?) we're a bit
invested in Sun Identity Manager..

> . . . you have to know about both resources, and keep them both in
> sync. I don't know much about Sun Identity Manager - perhaps it has
> tools to help you do this.

Ok, great. Thanks. Then I think we have the directory and kerberos set
up correctly. Time to integrate it with SIM.


-jf

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-13-2008, 06:02 PM
Howard Chu
 
Default fds + kerberos

Date: Thu, 12 Jun 2008 21:15:49 +0200
From: Jan Frode Myklebust<janfrode@tanso.net>



I have fds set up for user management, and have kerberos set
up for authentication, but am a bit uncertain if I'm now finished,
or if fds+kerberos are supposed to be better integrated.

Is the normal procedure for managing users:

- add user info to the directory (ldapadd)
- create user principal (addprinc username)

Or can the creation of user principal be automatically created
from within fds when we create users there ?


If you're using Heimdal's KDC there is a much less clumsy solution - just
configure your KDC to store its information in LDAP. Then you can include the
KDC-specific attributes in your lddapadd requests, and manage both sets of
users solely through LDAP. This works very well with OpenLDAP; I think it
should also work with FDS 1.1 now that they've integrated ldapi:// support
(but haven't tried it myself). You can then also configure OpenLDAP to
automatically synchronize password changes between LDAP and Kerberos (since
all the information is in the LDAP entry).


I believe recent versions of MIT Kerberos also offer this possibility, but I
haven't heard of any success stories with it so far.

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-13-2008, 06:33 PM
Rich Megginson
 
Default fds + kerberos

Howard Chu wrote:

Date: Thu, 12 Jun 2008 21:15:49 +0200
From: Jan Frode Myklebust<janfrode@tanso.net>



I have fds set up for user management, and have kerberos set
up for authentication, but am a bit uncertain if I'm now finished,
or if fds+kerberos are supposed to be better integrated.

Is the normal procedure for managing users:

- add user info to the directory (ldapadd)
- create user principal (addprinc username)

Or can the creation of user principal be automatically created
from within fds when we create users there ?


If you're using Heimdal's KDC there is a much less clumsy solution -
just configure your KDC to store its information in LDAP. Then you can
include the KDC-specific attributes in your lddapadd requests, and
manage both sets of users solely through LDAP. This works very well
with OpenLDAP; I think it should also work with FDS 1.1 now that
they've integrated ldapi:// support (but haven't tried it myself). You
can then also configure OpenLDAP to automatically synchronize password
changes between LDAP and Kerberos (since all the information is in the
LDAP entry).


I believe recent versions of MIT Kerberos also offer this possibility,
but I haven't heard of any success stories with it so far.
This is what freeipa provides - MIT Kerberos using Fedora DS as it's
backend database, including password sync.
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-13-2008, 06:48 PM
Scott Grizzard
 
Default fds + kerberos

With Heimdal and OpenLDAP, you can use the smbk5pwd overlay (it's in the
contrib directory) to sync heimdal keys, openldap passwords (it actually
points the openldap password to the heimdal key), and sambaLA and
sambaNT hashes. Then, if you configure your client services to change
passwords using ldappasswd, you can avoid the long chain of custom
scripts to keep everything in sync.


If there is something similar for MIT Kerberos and FDS, I would be sold
in microsecond.


Doesn't Samba 4 make this problem moot though?

- Scott

Howard Chu wrote:

Date: Thu, 12 Jun 2008 21:15:49 +0200
From: Jan Frode Myklebust<janfrode@tanso.net>



I have fds set up for user management, and have kerberos set
up for authentication, but am a bit uncertain if I'm now finished,
or if fds+kerberos are supposed to be better integrated.

Is the normal procedure for managing users:

- add user info to the directory (ldapadd)
- create user principal (addprinc username)

Or can the creation of user principal be automatically created
from within fds when we create users there ?


If you're using Heimdal's KDC there is a much less clumsy solution -
just configure your KDC to store its information in LDAP. Then you can
include the KDC-specific attributes in your lddapadd requests, and
manage both sets of users solely through LDAP. This works very well
with OpenLDAP; I think it should also work with FDS 1.1 now that
they've integrated ldapi:// support (but haven't tried it myself). You
can then also configure OpenLDAP to automatically synchronize password
changes between LDAP and Kerberos (since all the information is in the
LDAP entry).


I believe recent versions of MIT Kerberos also offer this possibility,
but I haven't heard of any success stories with it so far.


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-13-2008, 06:53 PM
Rob Crittenden
 
Default fds + kerberos

Scott Grizzard wrote:
With Heimdal and OpenLDAP, you can use the smbk5pwd overlay (it's in the
contrib directory) to sync heimdal keys, openldap passwords (it actually
points the openldap password to the heimdal key), and sambaLA and
sambaNT hashes. Then, if you configure your client services to change
passwords using ldappasswd, you can avoid the long chain of custom
scripts to keep everything in sync.


If there is something similar for MIT Kerberos and FDS, I would be sold
in microsecond.


The freeIPA password plugin does that if the entry has the objectclass
sambaSamAccount in it.



Doesn't Samba 4 make this problem moot though?

- Scott

Howard Chu wrote:

Date: Thu, 12 Jun 2008 21:15:49 +0200
From: Jan Frode Myklebust<janfrode@tanso.net>



I have fds set up for user management, and have kerberos set
up for authentication, but am a bit uncertain if I'm now finished,
or if fds+kerberos are supposed to be better integrated.

Is the normal procedure for managing users:

- add user info to the directory (ldapadd)
- create user principal (addprinc username)

Or can the creation of user principal be automatically created
from within fds when we create users there ?


If you're using Heimdal's KDC there is a much less clumsy solution -
just configure your KDC to store its information in LDAP. Then you can
include the KDC-specific attributes in your lddapadd requests, and
manage both sets of users solely through LDAP. This works very well
with OpenLDAP; I think it should also work with FDS 1.1 now that
they've integrated ldapi:// support (but haven't tried it myself). You
can then also configure OpenLDAP to automatically synchronize password
changes between LDAP and Kerberos (since all the information is in the
LDAP entry).


I believe recent versions of MIT Kerberos also offer this possibility,
but I haven't heard of any success stories with it so far.


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-14-2008, 04:31 PM
Howard Chu
 
Default fds + kerberos

Date: Fri, 13 Jun 2008 11:48:50 -0700
From: Scott Grizzard <scott@scottgrizzard.com>



With Heimdal and OpenLDAP, you can use the smbk5pwd overlay (it's in the
contrib directory) to sync heimdal keys, openldap passwords (it actually
points the openldap password to the heimdal key), and sambaLA and
sambaNT hashes. Then, if you configure your client services to change
passwords using ldappasswd, you can avoid the long chain of custom
scripts to keep everything in sync.


Right. (I figure you weren't explaining that to me, since I wrote all that code.)


If there is something similar for MIT Kerberos and FDS, I would be sold
in microsecond.


That'd probably be a premature move. The MIT code is far less stable than
Heimdal. Their library has a long history of thread safety issues, security
flaws, and crashes in threaded servers. The MIT folks may be ok on the
conceptual side, but when it comes to practical implementations they fumble
the details more often than not. There are a lot of reasons both OpenLDAP and
Samba support Heimdal.



Doesn't Samba 4 make this problem moot though?


As far as I know Samba 4 handles password synchronization from the SMB side,
but you still want to have synchronization for ldappasswd and such.


--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 

Thread Tools




All times are GMT. The time now is 09:37 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org