Here at Opinsys we’ve been busy trying to figure out how to make user management work easily without having to use ugly tricks to glue different applications together. Changing password sounds really simple to many, but it often gets quite complicated as there are many passwords that need to be changed. It is possible to [...]
There are a lot of tools for managing users in linux system. A lot of them. And judging by the number of Launchpad blueprints around the topic, there is also a lot of interest to improve Ubuntu’s user management infrastructure. Here at Opinsys we’ve been working with LDAP/kerberos for some years and although the situation [...]
Now that MIT Kerberos is running using OpenLDAP as storage backend, the next logical step is to make OpenLDAP use MIT Kerberos as its password backend.Now that MIT Kerberos is running using OpenLDAP as storage backend, the next logical step is to make OpenLDAP use MIT Kerberos as its password backend.Now that MIT Kerberos is running using OpenLDAP as storage backend, the next logical step is to make OpenLDAP use MIT Kerberos as its password backend.
Kerberos requires every client to know where the server is located. This can be done either by using /etc/krb5.conf file or using DNS to distribute the information. Using DNS makes it easier to do changes in the network settings as not every client needs to be updated. Next we aim to minimize the amount of configuration needed for every client so configuring DNS properly is a logical first step.Kerberos requires every client to know where the server is located. This can be done either by using /etc/krb5.conf file or using DNS to distribute the information. Using DNS makes it easier to do changes in the network settings as not every client needs to be updated. Next we aim to minimize the amount of configuration needed for every client so configuring DNS properly is a logical first step.Kerberos requires every client to know where the server is located. This can be done either by using /etc/krb5.conf file or using DNS to distribute the information. Using DNS makes it easier to do changes in the network settings as not every client needs to be updated. Next we aim to minimize the amount of configuration needed for every client so configuring DNS properly is a logical first step.
In this part I’m setting up ldap schemas for samba, autofs and kerberos. This is needed before the actual configuration for these can be done. Unfortunately I could not find ldif files for OpenLDAP for these, so the schema files need to be converted to ldif files. The tutorial at help.ubuntu.com instructs to use the slaptest tool for this.In this part I’m setting up ldap schemas for samba, autofs and kerberos. This is needed before the actual configuration for these can be done. Unfortunately I could not find ldif files for OpenLDAP for these, so the schema files need to be converted to ldif files. The tutorial at help.ubuntu.com instructs to use the slaptest tool for this.In this part I’m setting up ldap schemas for samba, autofs and kerberos. This is needed before the actual configuration for these can be done. Unfortunately I could not find ldif files for OpenLDAP for these, so the schema files need to be converted to ldif files. The tutorial at help.ubuntu.com instructs to use the slaptest tool for this.
After getting OpenLDAP running, the next step is to get TLS authentication working. There are various tutorials around the net telling how to make self-signed certificates using openssl. Googling reveals quite a few problems with using self-signed certificates created with openssl with debian’s and ubuntu’s slapd that uses gnutls. For this example I’ll use the certtool that comes with the gnutls-bin.After getting OpenLDAP running, the next step is to get TLS authentication working. There are various tutorials around the net telling how to make self-signed certificates using openssl. Googling reveals quite a few problems with using self-signed certificates created with openssl with debian’s and ubuntu’s slapd that uses gnutls. For this example I’ll use the certtool that comes with the gnutls-bin.After getting OpenLDAP running, the next step is to get TLS authentication working. There are various tutorials around the net telling how to make self-signed certificates using openssl. Googling reveals quite a few problems with using self-signed certificates created with openssl with debian’s and ubuntu’s slapd that uses gnutls. For this example I’ll use the certtool that comes with the gnutls-bin.
The goal of this setup is to have OpenLDAP running so that users can authenticate to it using pam_ldap and nss-ldap can get user and group information.
