LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-19-2010, 07:46 AM   #1
kja_007700
LQ Newbie
 
Registered: Jan 2010
Posts: 25

Rep: Reputation: 0
LDAP and Kerberos?


I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.


1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?


2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this:

ktadd host/client.example.com

Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?


3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?

4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?

Thanks in advance.

Last edited by kja_007700; 02-20-2010 at 05:13 PM. Reason: Making the questions more clear
 
Old 02-19-2010, 10:49 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,379

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
to obtain the ticket you just need to run kinit on the destination server. AFAIK, a standard krb5 configured pam would cause a ticket to be requested upon login from an appropriate source, e.g. if sshd reference pam_stack or system_auth then the generic system wide config would apply.

I feel the urge to say that you called the thread "Integrating LDAP and Kerberos?" But there is no integration between the two. They have no common functionality at all, and it's only dleiberately duplicated data between the two environments in terms of user names that links them at all.
 
Old 02-20-2010, 07:52 AM   #3
kja_007700
LQ Newbie
 
Registered: Jan 2010
Posts: 25

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by acid_kewpie View Post
to obtain the ticket you just need to run kinit on the destination server. AFAIK, a standard krb5 configured pam would cause a ticket to be requested upon login from an appropriate source, e.g. if sshd reference pam_stack or system_auth then the generic system wide config would apply.

I feel the urge to say that you called the thread "Integrating LDAP and Kerberos?" But there is no integration between the two. They have no common functionality at all, and it's only dleiberately duplicated data between the two environments in terms of user names that links them at all.
I will try to read up on pam_stack and system_auth.

By doing research on Kerberos and LDAP for the last couple of days, i see your point is valid, i need to create the same information i two places and keep track of this. I have changed the titel of my thread and cleaned the question up a bit to make it more clear what my problem is.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
integrating postfix with ldap haariseshu Linux - Server 16 07-09-2008 03:37 AM
Integrating LDAP with postfix mailserver aravind1024004 Linux - Server 8 04-15-2008 06:49 AM
Integrating ldap, dns and dhcp Blue_Ice Linux - Server 3 10-22-2007 06:21 AM
Samba Ldap Kerberos kratos13ec Linux - Server 0 10-05-2007 12:17 PM
integrating WEBDAV and LDAP apache modules jasongonella Linux - Networking 0 10-30-2001 04:51 AM


All times are GMT -5. The time now is 05:35 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration