[BBLISA] Chucking samba

Toby Burress kurin at delete.org
Sun Apr 25 23:28:51 EDT 2010


On Sun, Apr 25, 2010 at 11:15:24PM -0400, Ian Stokes-Rees wrote:
> OpenLDAP + 389 DS + WebMin + UserMin seem like they could do this, and

Yes, this is actually what we have now, and it works very well for what
we need.  What we don't use it for is workstation auth; if that were my
problem I would say AD and just wait for my boss to hand me a credit card.
But for network services, apache, etc, it's fantastic.

> that is the path I've started down.  Most CMS systems (and Django, the
> main one we're using) will play nicely with LDAP, as will Apache httpd. 
> ssh login will also be manageable via this system (of course).  I'd like
> to be able to script ~/.ssh/authorized_keys file updates via web-based
> user-driven public-key additions (many accounts are shared for various
> good reasons), and similarly for X.509-based public key systems.

http://code.google.com/p/openssh-lpk/ it works very well on fbsd.  I think
for debian/ubuntu you have to build your own sshd.  No idea about Red Hat.

pam_ldap lets you choose who can log into which servers with the group_dn
directive, and sudo has ldap integration too, so this way you can entirely
control who can log into what server with ldap.

Alernatively, you could use Kerberos, as ssh supports gssapi.  I haven't
actually tried this though.



More information about the bblisa mailing list