We use Kerberos, with LDAP (389DS) as our storage backend, which makes
standing up Kerberos servers really easy, and keeps replication in perfect
sync unlike normal Kerberos "replication". Together with SSSD and sudo-ldap
this all makes a pretty powerful combination.
On RHEL/CentOS platforms, install krb5-server-ldap and configure
/etc/krb5.conf accordingly:
[dbmodules]
REALM = {
db_library = kldap
ldap_kerberos_container_dn="dc=some,dc=container"
ldap_kdc_dn = "uid=kdc,cn=config"
ldap_kadmind_dn = "uid=kadmin,cn=config"
ldap_service_password_file =
/var/kerberos/krb5kdc/realm/service.keyfile
ldap_servers = "ldaps://ldap1.realm ldaps://ldap0.realm
ldaps://ldap2.realm"
}
Of course there's more to it, but you'll have to google the details, I
can't remember the details off the top of my head. Create the appropriate
LDAP credentials of course, as well as creating the LDAP service.keyfile ...
On Thu, Jan 9, 2014 at 12:42 PM, Paul Robert Marino <prmarino1(a)gmail.com>wrote:
have you considered using Kerberos instead of ssh keys?
its fairly transparent and doesn't require any patches.
On Thu, Jan 9, 2014 at 1:10 PM, Vesa Alho <listat(a)alho.fi> wrote:
>>> I'm just wondering if anyone has experience storing public keys in 389
>>> directory server to allow a user to login using an ssh-key rather than
a
>>> password? I am running the server on Ubuntu 13.10 and the client is
>>> Ubuntu
>>> 12.04.
>
>
> Last time I checked it requires patched openssh-server for Ubuntu. Check
> this:
https://marc.waeckerlin.org/computer/blog/ssh_and_ldap
>
> -Vesa
>
>
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users