[389-users] Developting a CentOS-DS setup
Doug Coats
dcoatshca at gmail.com
Sat Jun 13 12:51:26 UTC 2009
John,
Thanks again for the information! As I go through this process I am sure it
will be invaluable. I am making progress but I have also run into a
specific problem. I am going to post this to the entire group since it does
not specifically have to do with your prior informtion. I may post to this
thread in the future with questions specific to your instrucitons. This is
sort of a long term project for me that I am working on besides my other
responsibilities. Anyway I guess I am trying to say "stay tuned."
Thanks again, Doug
On Mon, Jun 8, 2009 at 4:41 AM, John A. Sullivan III <
jsullivan at opensourcedevel.com> wrote:
> On Sun, 2009-06-07 at 14:33 -0500, Doug Coats wrote:
> > Thanks a ton John! This certainly gives me somewhere to start. Now I
> > just need to figure out what parts Linux needs to authenticate to
> > begin with. Do I need SSL if all of my LDAP reequests are coming from
> > internal servers?
> <snip>
> The bottom part of the plan should give you most of that information.
> Some of the essential bits are in the clientsetup script we created and
> I really shouldn't post that. We do set up our users with
> objectlclasses of posixaccount and ntuser (I believe that's correct). On
> RedHat systems we also do something that I believe is technically
> incorrect, we add a posixgroup objectclass to the users to account for
> the personal group created by default.
>
> To keep the IDs unique among all the systems, we enforce unique uid,
> uidnumber, and gidnumber and, for other reasons in our multi-client
> environment, cn. This is one of the major reasons why we divide our DIT
> at the top level between Internal objects (which must enforce this
> uniqueness) and External objects (such as client contact lists) which do
> not enforce that uniqueness.
>
> At that point, one can use ldap.conf, nsswitch.conf, and the pam.d
> modules (largely configured automatically by, oh I forget the package
> name, I think it is authconfig - it's in the plan) to allow the Linux
> systems to authenticate users against LDAP.
>
> Certainly because we are a multi-client environment but even if we
> weren't, we do not believe in the hard and crunchy outside, soft and
> chewy inside security model. The network revolution means the primary
> attack vector is now on the inside of the network and not the outside.
> Truth be told, it always was. That's why we use SSL even on the
> internal network. If someone plants a protocol analyzer on the network,
> with a little bit of ARP poisoning, there's nothing they can't see
> traversing the wire. That's why we launched the ISCS network security
> project (http://iscs.sourceforge.net) and tend to "firepipe" rather than
> firewall our networks.
>
> Hope this helps - John
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan at opensourcedevel.com
>
> http://www.spiritualoutreach.com
> Making Christianity intelligible to secular society
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090613/45d40db5/attachment.htm>
More information about the Fedora-directory-users
mailing list