Is setting up DNS your biggest hustle? There are plenty of tutorial
online. Keep digging.
RedHat Identity Management is using LDAP, Kerberos, and all other goodies,
why not stick with that?
It came with GUI that allows you to administrate account, policies,
identities, and hosts/clients/servers authentication. Setting up master
and client nodes are fairly straight forward. Biggest plus is creating a
master replica, which is very easy.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/#Kerberos_KDC
On Mon, Feb 24, 2014 at 11:33 AM, צביקה הרמתי haramaty.zv...@gmail.comwrote:
Hi.
After reading about (and a little bit experimenting with) NIS, LDAP and
Kerberos, I concluded that:
- Using NIS is really easy - however, it's too insecure
- Using LDAP is too complicated for my 3-4 servers network
Many criticize NIS as being insecure; I haven't seen such criticism about
LDAP.
However, as Nico Kadel-Garcia pointed out, Kerberos (is the) Underlying
authentication technology for most LDAP setups.
So, if it's a common practice to setup LDAP and then fortify it with
Kerberos; wouldn't it be easier to setup NIS and fortify it with Kerberos?
Is this combination possible/feasible?
Anyone can point to some reference about how to achieve that combination?
Am I missing some drawbacks (except of using an aging technology, that
doesn't co-operate with Windows)?
Thanks,
Zvika
2014-02-19 13:21 GMT+02:00 צביקה הרמתי haramaty.zv...@gmail.com:
Hi.
Thank you all for the good advices.
Now I just have to decide how to proceed...
2014-02-18 1:59 GMT+02:00 Paul Robert Marino prmari...@gmail.com:
TLS/SSL won't work correctly if you use the /etc/hosts file. That is the
real constraint with LDAP and DNS.
But its not that severe all you need to be able to do is forward and
reverse lookup the host name and match it to the IP address.
You do not really need the SRV records. As long as the name in the cert
matches the DNS A record for the hostname(s) and the reverse lookup of the
resulting IP also matches the hostname(s) in the cert you are good.
One other option is you don't really need the passwords in the LDAP
database you can put it in Kerberos then you don't have to worry about
clear text passwords at all and there are no DNS requirements.
It takes a out 15 minutes to set up a Kerberos server and only about an
hour to setup 389 server (a.k.a Red Hat Directory server a.k.a. Netscape
Directory Server) from scratch to use Kerberos Auth.
Then on your client configs you specify the IP addresses instead of the
host names.
-- Sent from my HP Pre3
--
On Feb 17, 2014 9:09, Tam Nguyen tam8gu...@gmail.com wrote:
If you wanted to avoid DNS, then you can *temporarily* achieve that on
RH Identity Management by updating the /etc/hosts files on the server and
client nodes.
-Tam
On Mon, Feb 17, 2014 at 6:57 AM, צביקה הרמתי
haramaty.zv...@gmail.comwrote:
Hi.
I want to have several hosts, sharing the same Users Accounts database.
i.e, user John will be able to seamlessly login to host1 or to host2,
without having to manually config John's credentials unto each machine.
Nothing more than that...
LDAP seems like the solution, however, I tried to find an easy tutorial
and understood that maybe it's a little bit overkill for my humble
requirements.
I've read about RH Identity Management (
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
)
It seemed interesting; but its DNS requirements are a little bit too
complicated for scenerio (having the IDM server's public IP properly
configured DNS record).
Am I missing something?
There must be simpler way...
Thanks,
Zvika