OpenLDAP

ilesterg · 02-16-2017, 06:24 PM

Hi all!

I have been following this guide and this Gentoo guide and I was able to set up a VM to act as an authentication server for my other VMs (with GUI).

I'm trying to learn OpenLDAP because I'm supposed to help my local municipal office "overhaul" their IT infrastructure, which is currently composed of around 20 desktops. So one of the "needs" I pointed out is a centralized authentication.

I'm planning to use CentOS as the OpenLDAP server and KUbuntu or XUbuntu or Windows 7 as their desktops.

My question really is how should I structure my LDAP tree, I can't find a good guide online on how to map an organization to an LDAP tree. From following the link from itzgeek I was able to create 2 users but that's about it. How about using groups and permissions and how they map to the OS's native security?

Another concern are authentication and encryption..what are my choices (from the ones natively supported by OpenLDAP) and what are the pros and cons of each?

Sorry if this sounds like asking too much but believe me I have browsed OpenLDAP's documentation but it was just overwhelming.

TIA.

ericson007 · 02-16-2017, 06:46 PM

I certainly am not a professional for centralized authentication, but you may be able to get away with using FreeIPA which is designed specifically for that sort of thing and is availabe in the centos repo.

https://access.redhat.com/site/docum...ide/index.html

It sets up kerberos as well as 386 ldap server for authentication purposes.

sundialsvcs · 02-17-2017, 08:13 AM

Well, that might be considerably more detail than the OP needs to know in this case. This guide is really talking about a setup at an Enterprise level. But it would be a good "skim read" for background.

Other possibilities:

The last two articles offer a possibility that should not be overlooked in a "mixed Linux and Windows" shop: single-sign-on authentication that works for either and both environments, managed using Microsoft's management tools – which are rather nicely done. (What Microsoft calls "Open Directory" is basically LDAP.)