Re: good LDAP resources

[briand]

I have < 10 machines, and it should be < 10 machines for the forseeable future, 
so I think LDAP is probably too brute a force.

I'll look into NIS and some of the other tools people have mentioned.

Thanks very much for the help everyone !




Brian

Re: good LDAP resources

[deloptes]

Dan Ritter wrote:

> On Sat, Feb 25, 2017 at 02:16:27PM -0800, bri...@aracnet.com wrote:
>> I need to set-up some sort of password server for a small network so that
>> i don't have to set-up accounts on every machine.
>> 
>> It looks like LDAP is the best way to do that.
>> 
>> Is it ?
>> 
>> I've been looking at the LDAP how-to's and even tried to turn things on
>> using one of them, but I can't quite get things working.
>> 
>> Can someone point me to a good resource as to how to make it work ?
> 
> Depends on how small. I would say there is no particular payoff
> for LDAP until you get to somewhere between 10 and 100 machines,
> depending on what your userbase looks like.
> 
> For example: if you use puppet, chef, ansible or any of the
> other configuration management tools, it's easy to distribute
> users with that, and you get to distribute /etc/sudoers and
> other things as well.
> 
> If you need instant password changes across a fleet of machines,
> though, or you have a lot of people who all want to change their
> passwords regularly, LDAP is the way to go. Remember that nearly
> everything will be dependent on LDAP, so you need to have a
> minimum of three physical machines to serve it from.
> 
> http://techpubs.spinlocksolutions.com/dklar/ldap.html might
> help you out.
> 
> -dsr-

This is also a good article
http://www.spencerstirling.com/computergeek/mysqluser.html

Re: good LDAP resources

[Dan Ritter]

On Sat, Feb 25, 2017 at 02:16:27PM -0800, bri...@aracnet.com wrote:
> I need to set-up some sort of password server for a small network so that i 
> don't have to set-up accounts on every machine.
> 
> It looks like LDAP is the best way to do that.
> 
> Is it ?
> 
> I've been looking at the LDAP how-to's and even tried to turn things on using 
> one of them, but I can't quite get things working.
> 
> Can someone point me to a good resource as to how to make it work ?

Depends on how small. I would say there is no particular payoff
for LDAP until you get to somewhere between 10 and 100 machines,
depending on what your userbase looks like.

For example: if you use puppet, chef, ansible or any of the
other configuration management tools, it's easy to distribute
users with that, and you get to distribute /etc/sudoers and
other things as well.

If you need instant password changes across a fleet of machines,
though, or you have a lot of people who all want to change their
passwords regularly, LDAP is the way to go. Remember that nearly
everything will be dependent on LDAP, so you need to have a
minimum of three physical machines to serve it from.

http://techpubs.spinlocksolutions.com/dklar/ldap.html might
help you out.

-dsr-

Re: good LDAP resources

[Greg Wooledge]

On Sat, Feb 25, 2017 at 02:16:27PM -0800, bri...@aracnet.com wrote:
> I need to set-up some sort of password server for a small network so that i 
> don't have to set-up accounts on every machine.
> 
> It looks like LDAP is the best way to do that.
> 
> Is it ?

For a small network where security isn't an enormous concern, NIS is a
whole lot easier.

Re: good LDAP resources

[Joshua Schaeffer]

LDAP can be very difficult to learn if you are just starting out with it, but 
also very powerful. There may be other faster solutions then a manual setup, 
but I found that I learned the most by doing all of it manually. On Red Hat 
based systems, I believe their IPA solution is quite good. It uses LDAP and 
Kerberos and does most of the leg work for you. I have no idea if any of that 
is compatible with Debian based systems (I don't think it is).

Anyway here are a lot of the resources I used when learning, configuring, and 
setting up my authentication system:

*

 *

   http://debian-handbook.info/browse/wheezy/sect.ldap-directory.html

 *

   http://ubuntuforums.org/showthread.php?t=1421998

 *

   http://www.openldap.org/lists/openldap-technical/201401/msg00140.html

 *

   https://help.ubuntu.com/community/GnuTLS

 *

   https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/115967

 *

   help.ubuntu.com/community/OpenLDAPServer 


 *

   http://www.openldap.org/doc/admin24/guide.html

 *

   https://help.ubuntu.com/community/Kerberos

 *

   http://www.openldap.org/lists/openldap-technical/201201/msg00140.html

 *

   slapd-config(5)

 *

   *http://www.zytrax.com/books/ldap/* 


 *

   http://www.zytrax.com/books/ldap/ch7/#overview

 *

   http://www.zytrax.com/books/ldap/ape/config.html#olcsyncprovconfig

 *

   http://www.cyberciti.biz/faq/how-do-i-rotate-log-files/

 *

   https://www.ietf.org/rfc/rfc2307.txt

 * https://tools.ietf.org/id/draft-howard-rfc2307bis-02.txt

*
There's plenty more out there as well. If you want I can send you my own setup 
guide, which I built over the years from all these resources (and probably many 
more I never recorded), just keep in mind that doc is specific to myself and my 
business and it involves setting up OpenLDAP not just for authentication but 
for almost anything. I also don't use OpenLDAP for authentication only 
authorization. I use MIT Kerberos for auth (which uses OpenLDAP as its backend).

To be more specific to your question of "good resources" I would say as a 
subset of all the links above the below are the best ones to start with:

*http://debian-handbook.info/browse/wheezy/sect.ldap-directory.html
***help.ubuntu.com/community/OpenLDAPServer 

**http://www.zytrax.com/books/ldap/

As one last suggestion/comment/remark, I would suggest setting up OpenLDAP as 
your implementation of LDAP and would use PPolicy to authn/authz over TLS. If 
you don't want to send passwords over the wire then use Kerberos for the 
authentication component.

Thanks,
Joshua Schaeffer

On 02/25/2017 03:16 PM, bri...@aracnet.com wrote:

I need to set-up some sort of password server for a small network so that i 
don't have to set-up accounts on every machine.

It looks like LDAP is the best way to do that.

Is it ?

I've been looking at the LDAP how-to's and even tried to turn things on using 
one of them, but I can't quite get things working.

Can someone point me to a good resource as to how to make it work ?

Thanks!