LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   LDAP and Kerberos? (http://www.linuxquestions.org/questions/linux-security-4/ldap-and-kerberos-790177/)

kja_007700 02-19-2010 07:46 AM

LDAP and Kerberos?
 
I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.


1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?


2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this:

ktadd host/client.example.com

Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?


3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?

4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?

Thanks in advance.

acid_kewpie 02-19-2010 10:49 AM

to obtain the ticket you just need to run kinit on the destination server. AFAIK, a standard krb5 configured pam would cause a ticket to be requested upon login from an appropriate source, e.g. if sshd reference pam_stack or system_auth then the generic system wide config would apply.

I feel the urge to say that you called the thread "Integrating LDAP and Kerberos?" But there is no integration between the two. They have no common functionality at all, and it's only dleiberately duplicated data between the two environments in terms of user names that links them at all.

kja_007700 02-20-2010 07:52 AM

Quote:

Originally Posted by acid_kewpie (Post 3869541)
to obtain the ticket you just need to run kinit on the destination server. AFAIK, a standard krb5 configured pam would cause a ticket to be requested upon login from an appropriate source, e.g. if sshd reference pam_stack or system_auth then the generic system wide config would apply.

I feel the urge to say that you called the thread "Integrating LDAP and Kerberos?" But there is no integration between the two. They have no common functionality at all, and it's only dleiberately duplicated data between the two environments in terms of user names that links them at all.

I will try to read up on pam_stack and system_auth.

By doing research on Kerberos and LDAP for the last couple of days, i see your point is valid, i need to create the same information i two places and keep track of this. I have changed the titel of my thread and cleaned the question up a bit to make it more clear what my problem is.


All times are GMT -5. The time now is 01:33 AM.