Setting up Kerberos, Cyrus-SASL, OpenLDAP

This is a discussion on Setting up Kerberos, Cyrus-SASL, OpenLDAP within the Linux Security forums, part of the System Security and Security Related category; Largely for educational purposes, but also for family convenience, I'm trying to move my home lan to network authentication. ...


Go Back   Usenet Forums > System Security and Security Related > Linux Security

Reload this Page Setting up Kerberos, Cyrus-SASL, OpenLDAP

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 05-23-2004
Dale Pontius
 
Posts: n/a
Default Setting up Kerberos, Cyrus-SASL, OpenLDAP
Largely for educational purposes, but also for family convenience,
I'm trying to move my home lan to network authentication. I've
done what reading I can find on the web, HowTo's and the like, and
still have a few questions...

All 3 packages are installed on a Gentoo system. Seems to me that
I should configure and bring up Kerberos, then Cyrus-SASL, then
OpenLDAP, since each will depend on the one before. But as for
loading my passwords and such, should accounts and passwords be
first loaded in under Kerberos, then again under OpenLDAP? Or should
only a test account be loaded in under Kerberos, and real accounts
be loaded in through OpenLDAP only?

My user accounts are set up 'the Redhat Way', but I believe in the
long run, if I also integrate Samba into all of this as a PDC, I'll
want a better thought-out account space. It looks like 'usermod' and
'groupmod' can let me take care of this, but anything not under
/home, like /var/spool/mail, will have to be taken care of, manually.
Correct? (I've never used this one, before.)

I'd like to restrict access by machine. Each machine will have an
ordinary account, which can turn into root. Servers will have no
ordinary accounts for family members. I'll be moving to Cyrus-IMAP
for this reason, to eliminate family accounts from the server. I've
found an IBM document on restricting access per-machine with OpenLDAP.
But I've read the 'OpenLDAP-V3 (OpenLDAP+Kerberos+Cyrus-SASL)' HowTo,
which suggests running authentication directly through Kerberos, instead
of the multilayer OpenLDAP/SSL/SASL/Kerberos path. With this method,
I'm not sure how to restrict access by machine. Suggestions welcome.

I'd like to fit functions besides authentication into OpenLDAP, like
a network address book, and someday roaming users, whenever Mozilla
adds support. I get the impression that LDAP can be pretty picky about
setting up schemas, but so far the articles I've read focus on only
one purpose (authentication) or another. (address book, roaming) Can
someone point to a Web document telling me how to combine these?

Thanks,
Dale Pontius
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 11:21 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0