I installed the fresh 389 -DS on my machine. I too ran setupssl2.sh and
configured https:// for Management Console.
But if i try running:
# netstat -pant | grep 389
tcp0 0 :::389 :::*
LISTEN 10756/ns-slapd
tcp0 0 :::10.14.47.24:389 ::
On Tue, Feb 2, 2010 at 8:57 PM, Steve Bernacki wrote:
> On 2/2/2010 1:18 PM, Morris, Patrick wrote:
>> [snip]
>> We've found it a lot easier to manage than having to add an entry per
>> host to user records, but then our servers tend to fall into
>> easily-defined groups, which may not be the case
On 2/2/2010 1:18 PM, Morris, Patrick wrote:
> [snip]
> We've found it a lot easier to manage than having to add an entry per
> host to user records, but then our servers tend to fall into
> easily-defined groups, which may not be the case for everyone, and the
> way we do it also relies on the only
Sean Carolan wrote:
>> It's not clear to me what OS/distribution you're doing this on, but for
>> the most part we have cfengine run authconfig on our Red Hat boxes to
>> set up the basic LDAP auth (it's a one-liner if done that way), and then
>> push around the sshd_config file.
>>
>
> We hav
> It's not clear to me what OS/distribution you're doing this on, but for
> the most part we have cfengine run authconfig on our Red Hat boxes to
> set up the basic LDAP auth (it's a one-liner if done that way), and then
> push around the sshd_config file.
We have a combination of centos and Red H
Sean Carolan wrote:
>> This allows to to control who has access to the systems directly from
>> ldap. Add the entitlement and they have access. Remove the entitlement
>> and their access is revoked.
>>
>> My $0.02 CDN
>>
>
> Terry, this is perfect, just what I was looking for. I like being
> Perhaps some of you have gone down this path before and can offer some
> helpful suggestions. I need to convert a group of servers to LDAP
> authentication. Most of the user accounts on these systems have
> consistent uids and gids across all the servers.
One last question for the peanut galle
Sean Carolan wrote:
>> Thanks for the info, the sshd_config file may be the way to go. We
>> already use cfengine so it would be fairly easy to implement and push
>> out to all our servers.
>>
>
> Speaking of cfengine, I would like to use this to push out the
> /etc/pam.d/system-auth and othe
> This allows to to control who has access to the systems directly from
> ldap. Add the entitlement and they have access. Remove the entitlement
> and their access is revoked.
>
> My $0.02 CDN
Terry, this is perfect, just what I was looking for. I like being
able to control access from the LDAP
We added an entitlement for all those users that need access to certain
systems, but should not be able to access other systems ...
We use the eduPerson schema, but I'll just give the basics ...
On the users ldap record, add the entitlement
hostEntitlement: hostname.company.com
This is a multi-
> Thanks for the info, the sshd_config file may be the way to go. We
> already use cfengine so it would be fairly easy to implement and push
> out to all our servers.
Speaking of cfengine, I would like to use this to push out the
/etc/pam.d/system-auth and other files required for ldap
authentica
Sean Carolan wrote:
>> You can either continue as usual with an authorized_keys file in their
>> home directories, or look at the LPK patch available for OpenSSH that
>> allows storing public keys in LDAP.
>>
>> Having the users in LDAP has absolutely no effect on how key-based
>> logins work with
> You can either continue as usual with an authorized_keys file in their
> home directories, or look at the LPK patch available for OpenSSH that
> allows storing public keys in LDAP.
>
> Having the users in LDAP has absolutely no effect on how key-based
> logins work with SSH, but it does open up s
Sean Carolan wrote:
>> #2
>> a.there is also a setting in /etc/ldap.conf called pam_groupdn. This
>> lets you define an LDAP object with multiple membe attributes to
>> control who can login. I find it easy to use
>> b. SSH can be told to only accept logins from a posix group (same deal
>> just han
> #2
> a.there is also a setting in /etc/ldap.conf called pam_groupdn. This
> lets you define an LDAP object with multiple membe attributes to
> control who can login. I find it easy to use
> b. SSH can be told to only accept logins from a posix group (same deal
> just handled at a different part o
2010/2/2 Sean Carolan :
> Perhaps some of you have gone down this path before and can offer some
> helpful suggestions. I need to convert a group of servers to LDAP
> authentication. Most of the user accounts on these systems have
> consistent uids and gids across all the servers. There are a fe
Perhaps some of you have gone down this path before and can offer some
helpful suggestions. I need to convert a group of servers to LDAP
authentication. Most of the user accounts on these systems have
consistent uids and gids across all the servers. There are a few
exceptions but the people who
17 matches
Mail list logo
