[BBLISA] Chucking samba
John P. Rouillard
rouilj at cs.umb.edu
Mon Apr 26 10:56:18 EDT 2010
In message <4BD5054C.4080809 at crystal.harvard.edu>,
Ian Stokes-Rees writes:
>While people are chiming in about their authentication systems, I
>thought I'd ask about authentication systems that don't require MS
>support -- our servers are 100% Linux, and clients access only via web,
>sshfs, or ssh (possibly from any platform, in practice mostly OS X or
>Windows).
>
>OpenLDAP + 389 DS + WebMin + UserMin seem like they could do this,
We use openldap for authentication with a single consistent user
account for ssh, samba and SSO for our web apps. Authorization is a bit
tricky we don't have a good mechanism for allowing say rt access while
denying twiki access. We use a single proxy host that fronts all of
apps which makes it easier for the users to access services, but more
difficult to authorize particular apps. The way we have been doing it
is changing authentication at the web application level, or using
pam_access and control files at the sshd/cron... level.
Ideally each application would be a group in ldap and the ldap
authentication stanza would include something like:
ldaps://auth.example.com auth2/example.com/ou=people,dc=staff,dc=example,dc=com?uid?sub?(shadowExpire=-1 ...)
where the ... filters the results requiring membership in a particular
group. That way we could authorize an application via ldap by adding
the user to the twikiapp or rtapp group. Again because of the SSO
proxy I am not sure how that would get set up exactly. Finer
authorization than appication access would still need to be done at
the application level.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
More information about the bblisa
mailing list