Re: Sharing users among few hosts
Hi Again. Finally, I had to setup a DNS server (and it wasn't such complicated, after all...) After that, installing IdM was really easy both on the server and on the clients. However, now I have another question - how can I authenticate other services against IdM? I'm concerned with Samba (for file sharing) and Redmine ( http://www.redmine.org/projects/redmine/wiki/RedmineLDAP). Is it possible? How?.. Thanks, Zvika
Re: Sharing users among few hosts
Hi. After reading about (and a little bit experimenting with) NIS, LDAP and Kerberos, I concluded that: - Using NIS is really easy - however, it's too insecure - Using LDAP is too complicated for my 3-4 servers network Many criticize NIS as being insecure; I haven't seen such criticism about LDAP. However, as Nico Kadel-Garcia pointed out, Kerberos (is the) Underlying authentication technology for most LDAP setups. So, if it's a common practice to setup LDAP and then fortify it with Kerberos; wouldn't it be easier to setup NIS and fortify it with Kerberos? Is this combination possible/feasible? Anyone can point to some reference about how to achieve that combination? Am I missing some drawbacks (except of using an aging technology, that doesn't co-operate with Windows)? Thanks, Zvika 2014-02-19 13:21 GMT+02:00 צביקה הרמתי haramaty.zv...@gmail.com: Hi. Thank you all for the good advices. Now I just have to decide how to proceed... 2014-02-18 1:59 GMT+02:00 Paul Robert Marino prmari...@gmail.com: TLS/SSL won't work correctly if you use the /etc/hosts file. That is the real constraint with LDAP and DNS. But its not that severe all you need to be able to do is forward and reverse lookup the host name and match it to the IP address. You do not really need the SRV records. As long as the name in the cert matches the DNS A record for the hostname(s) and the reverse lookup of the resulting IP also matches the hostname(s) in the cert you are good. One other option is you don't really need the passwords in the LDAP database you can put it in Kerberos then you don't have to worry about clear text passwords at all and there are no DNS requirements. It takes a out 15 minutes to set up a Kerberos server and only about an hour to setup 389 server (a.k.a Red Hat Directory server a.k.a. Netscape Directory Server) from scratch to use Kerberos Auth. Then on your client configs you specify the IP addresses instead of the host names. -- Sent from my HP Pre3 -- On Feb 17, 2014 9:09, Tam Nguyen tam8gu...@gmail.com wrote: If you wanted to avoid DNS, then you can *temporarily* achieve that on RH Identity Management by updating the /etc/hosts files on the server and client nodes. -Tam On Mon, Feb 17, 2014 at 6:57 AM, צביקה הרמתי haramaty.zv...@gmail.comwrote: Hi. I want to have several hosts, sharing the same Users Accounts database. i.e, user John will be able to seamlessly login to host1 or to host2, without having to manually config John's credentials unto each machine. Nothing more than that... LDAP seems like the solution, however, I tried to find an easy tutorial and understood that maybe it's a little bit overkill for my humble requirements. I've read about RH Identity Management ( https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html ) It seemed interesting; but its DNS requirements are a little bit too complicated for scenerio (having the IDM server's public IP properly configured DNS record). Am I missing something? There must be simpler way... Thanks, Zvika
Re: Sharing users among few hosts
Is setting up DNS your biggest hustle? There are plenty of tutorial online. Keep digging. RedHat Identity Management is using LDAP, Kerberos, and all other goodies, why not stick with that? It came with GUI that allows you to administrate account, policies, identities, and hosts/clients/servers authentication. Setting up master and client nodes are fairly straight forward. Biggest plus is creating a master replica, which is very easy. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/#Kerberos_KDC On Mon, Feb 24, 2014 at 11:33 AM, צביקה הרמתי haramaty.zv...@gmail.comwrote: Hi. After reading about (and a little bit experimenting with) NIS, LDAP and Kerberos, I concluded that: - Using NIS is really easy - however, it's too insecure - Using LDAP is too complicated for my 3-4 servers network Many criticize NIS as being insecure; I haven't seen such criticism about LDAP. However, as Nico Kadel-Garcia pointed out, Kerberos (is the) Underlying authentication technology for most LDAP setups. So, if it's a common practice to setup LDAP and then fortify it with Kerberos; wouldn't it be easier to setup NIS and fortify it with Kerberos? Is this combination possible/feasible? Anyone can point to some reference about how to achieve that combination? Am I missing some drawbacks (except of using an aging technology, that doesn't co-operate with Windows)? Thanks, Zvika 2014-02-19 13:21 GMT+02:00 צביקה הרמתי haramaty.zv...@gmail.com: Hi. Thank you all for the good advices. Now I just have to decide how to proceed... 2014-02-18 1:59 GMT+02:00 Paul Robert Marino prmari...@gmail.com: TLS/SSL won't work correctly if you use the /etc/hosts file. That is the real constraint with LDAP and DNS. But its not that severe all you need to be able to do is forward and reverse lookup the host name and match it to the IP address. You do not really need the SRV records. As long as the name in the cert matches the DNS A record for the hostname(s) and the reverse lookup of the resulting IP also matches the hostname(s) in the cert you are good. One other option is you don't really need the passwords in the LDAP database you can put it in Kerberos then you don't have to worry about clear text passwords at all and there are no DNS requirements. It takes a out 15 minutes to set up a Kerberos server and only about an hour to setup 389 server (a.k.a Red Hat Directory server a.k.a. Netscape Directory Server) from scratch to use Kerberos Auth. Then on your client configs you specify the IP addresses instead of the host names. -- Sent from my HP Pre3 -- On Feb 17, 2014 9:09, Tam Nguyen tam8gu...@gmail.com wrote: If you wanted to avoid DNS, then you can *temporarily* achieve that on RH Identity Management by updating the /etc/hosts files on the server and client nodes. -Tam On Mon, Feb 17, 2014 at 6:57 AM, צביקה הרמתי haramaty.zv...@gmail.comwrote: Hi. I want to have several hosts, sharing the same Users Accounts database. i.e, user John will be able to seamlessly login to host1 or to host2, without having to manually config John's credentials unto each machine. Nothing more than that... LDAP seems like the solution, however, I tried to find an easy tutorial and understood that maybe it's a little bit overkill for my humble requirements. I've read about RH Identity Management ( https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html ) It seemed interesting; but its DNS requirements are a little bit too complicated for scenerio (having the IDM server's public IP properly configured DNS record). Am I missing something? There must be simpler way... Thanks, Zvika
Re: Sharing users among few hosts
- Mail message - From: צביקה הרמתי haramaty.zv...@gmail.com To: Paul Robert Marino prmari...@gmail.com Cc: Tam Nguyen tam8gu...@gmail.com, scientific linux users scientific-linux-users@fnal.gov Sent: 24. februar 2014 17:33:43 Subject: Re: Sharing users among few hosts Hi. After reading about (and a little bit experimenting with) NIS, LDAP and Kerberos, I concluded that: - Using NIS is really easy - however, it's too insecure - Using LDAP is too complicated for my 3-4 servers network Many criticize NIS as being insecure; I haven't seen such criticism about LDAP. However, as Nico Kadel-Garcia pointed out, Kerberos (is the) Underlying authentication technology for most LDAP setups. LDAP can be used for authorization and authentication, or you can couple it with Kerberos so only authorization is done with LDAP. IMHO, either of these approaches are safer than NIS. If letting LDAP do the authentication, it should definitely happen over SSL, otherwise the password passes over the network. However, with both LDAP and Kerberos, it's not possible to read out the passwords (even hashed ones) if the authentication server is well protected and privileges/ACLs are set correct. Hence, lack of criticism on LDAP security. But, with LDAP the password is transferred over the network. With Kerberos, the password never leaves the client, which makes it even safer. It's a many years (late 90s) since I looked at NIS last time, but I believe password hashes are transferred unencrypted over the network when data is needed. So, if it's a common practice to setup LDAP and then fortify it with Kerberos; wouldn't it be easier to setup NIS and fortify it with Kerberos? Is this combination possible/feasible? Anyone can point to some reference about how to achieve that combination? If choosing the NIS path, Kerberos is a must. But I doubt you'll find too much information about this combination, as NIS really is considered legacy. You get far better control using LDAP. I see your point with only a few handful servers. But that's now, what about the future? In addition, if you couple LDAP+Kerberos (or use idm, mentioned by others) you can really get an easy client setup using sssd, which caches needed information in case of network failures. Adding additional workstations to an LDAP or LDAP+Kerberos setup is easy. Without that cache, it will be impossible to log into boxes not having local accounts (even from the console) *if* you have network issues. So in that regards, it's more fragile without this cache. And another point ... if you want Kerberos (due to NIS), you anyway need a proper DNS setup and NTP. All this, including LDAP, can be tackled via idm. In addition, with proper DNS setup all clients don't necessarily have to have much complicated configs. It can actually pull much of the information dynamically on-the-fly via DNS lookups (like _ldap._tcp.example.com, _kerberos.example.com, _kerberos._udp.example.com, etc, etc). Which means your client configs can be really minimal and standardised for a very long time, just enabling LDAP or LDAP+Kerberos features, and you have the rest of the configuration centralised instantly. But if you really want the simplest approach, I'd go for LDAP only, maybe in conjunction with DNS SRV pointers. The server setup requires some work (but can in fine run on a secured internal server together with other services). But once the LDAP server is in place, then the client side requires very little efforts. The hardest nut to crack, no matter which setup, is getting Kerberos right and to ensure the needed extra services are running and correctly configured too. (Having that said, Kerberos gives other neat features too, such as SSO, especially if enabled on workstations/laptops) -- kind regards, David Sommerseth
Re: Sharing users among few hosts
On Mon, Feb 24, 2014 at 11:33 AM, צביקה הרמתי haramaty.zv...@gmail.com wrote: Hi. After reading about (and a little bit experimenting with) NIS, LDAP and Kerberos, I concluded that: - Using NIS is really easy - however, it's too insecure - Using LDAP is too complicated for my 3-4 servers network Many criticize NIS as being insecure; I haven't seen such criticism about LDAP. However, as Nico Kadel-Garcia pointed out, Kerberos (is the) Underlying authentication technology for most LDAP setups. So, if it's a common practice to setup LDAP and then fortify it with Kerberos; wouldn't it be easier to setup NIS and fortify it with Kerberos? Not exactly. It's a common practice to use a combined LDAP/Kerberos suite, such as Samba or Active Directory. Same server, usable GUI's to manage the accounts, and plenty of guidelines published on managing them as a unit. It's possible to separate Kerberos *authentication* from other forms of account management. One of my favorites is to combine them: Use a system management tool like CFengine to publish local user accounts, and to set encrypted local passwords. Rely on Kerberos from corporate Active Directory for most authenticatin, but the local passwords for core sysadmins can save your business when the AD or LDAP server goes toes up and no one can log in. Is this combination possible/feasible? Anyone can point to some reference about how to achieve that combination? Am I missing some drawbacks (except of using an aging technology, that doesn't co-operate with Windows)? Thanks, Zvika If you want to integrate well with Windows, I highly encourage you to learn and use Samba.
Sharing users among few hosts
Hi. I want to have several hosts, sharing the same Users Accounts database. i.e, user John will be able to seamlessly login to host1 or to host2, without having to manually config John's credentials unto each machine. Nothing more than that... LDAP seems like the solution, however, I tried to find an easy tutorial and understood that maybe it's a little bit overkill for my humble requirements. I've read about RH Identity Management ( https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html ) It seemed interesting; but its DNS requirements are a little bit too complicated for scenerio (having the IDM server's public IP properly configured DNS record). Am I missing something? There must be simpler way... Thanks, Zvika
Re: Sharing users among few hosts
If you wanted to avoid DNS, then you can *temporarily* achieve that on RH Identity Management by updating the /etc/hosts files on the server and client nodes. -Tam On Mon, Feb 17, 2014 at 6:57 AM, צביקה הרמתי haramaty.zv...@gmail.comwrote: Hi. I want to have several hosts, sharing the same Users Accounts database. i.e, user John will be able to seamlessly login to host1 or to host2, without having to manually config John's credentials unto each machine. Nothing more than that... LDAP seems like the solution, however, I tried to find an easy tutorial and understood that maybe it's a little bit overkill for my humble requirements. I've read about RH Identity Management ( https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html ) It seemed interesting; but its DNS requirements are a little bit too complicated for scenerio (having the IDM server's public IP properly configured DNS record). Am I missing something? There must be simpler way... Thanks, Zvika
Re: Sharing users among few hosts
Btw, if security isn't your main concern, then have a look at NIS. -Tam On Mon, Feb 17, 2014 at 6:57 AM, צביקה הרמתי haramaty.zv...@gmail.comwrote: Hi. I want to have several hosts, sharing the same Users Accounts database. i.e, user John will be able to seamlessly login to host1 or to host2, without having to manually config John's credentials unto each machine. Nothing more than that... LDAP seems like the solution, however, I tried to find an easy tutorial and understood that maybe it's a little bit overkill for my humble requirements. I've read about RH Identity Management ( https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html ) It seemed interesting; but its DNS requirements are a little bit too complicated for scenerio (having the IDM server's public IP properly configured DNS record). Am I missing something? There must be simpler way... Thanks, Zvika
Re: Sharing users among few hosts
TLS/SSL won't work correctly if you use the /etc/hosts file. That is the real constraint with LDAP and DNS.But its not that severe all you need to be able to do is forward and reverse lookup the host name and match it to the IP address.You do not really need the SRV records. As long as the name in the cert matches the DNS A record for the hostname(s) and the reverse lookup of the resulting IP also matches the hostname(s) in the cert you are good.One other option is you don't really need the passwords in the LDAP database you can put it in Kerberos then you don't have to worry about clear text passwords at all and there are no DNS requirements.It takes a out 15 minutes to set up a Kerberos server and only about an hour to setup 389 server (a.k.a Red Hat Directory servera.k.a. Netscape Directory Server) from scratch to use Kerberos Auth.Then on your client configs you specify the IP addresses instead of the host names.-- Sent from my HP Pre3On Feb 17, 2014 9:09, Tam Nguyen tam8gu...@gmail.com wrote: If you wanted to avoid DNS, then you can *temporarily* achieve that on RH Identity Management by updating the /etc/hosts files on the server and client nodes. -Tam On Mon, Feb 17, 2014 at 6:57 AM, צביקה הרמתי haramaty.zv...@gmail.com wrote: Hi.I want to have several hosts, sharing the same Users Accounts database. i.e, user John will be able to seamlessly login to host1 or to host2, without having to manually config Johns credentials unto each machine. Nothing more than that...LDAP seems like the solution, however, I tried to find an easy tutorial and understood that maybe its a little bit overkill for my humble requirements. Ive read about RH Identity Management (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html) It seemed interesting; but its DNS requirements are a little bit too complicated for scenerio (having the IDM servers public IP properly configured DNS record). Am I missing something?There must be simpler way...Thanks,Zvika