[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

LDAP for Services


My goal has been a consistent replicated single sign on for my system, and more importantly, a means of orchestrating that. Originally I made a very painful web script to add users or allow users to change all their passwords at once, but, in spite of its elegance, it was in fact a kludge.

After much ado, I finally got LDAP using GSSAPI/SASL to lookup authentication information from my Heimdal Kerberos database. To test, I got ProFTPd working off LDAP (although hopefully mod_gssapi will be added to debian some day). Regardless, it works, and soon I will begin adding Samba, PAM, email, and a variety of web service stuff revolving around the merry union of kerberos & ldap.

My question is as follows: How can i orchestrate my ldap database to give users access to a limited domain of services? If I want someone to be able to use NFS and ProFTP, but not let them login, samba-in, or email, is there anything I can do within the LDAP framework to make this possible?

Are such centralized systems ever used? What is the securit standpoint? I'm not sure whether I'm placing all my eggs in one basket (crack one, crack all) or replacing many potential fault in my armor (many passwd's for each service) with one piece of armor (ldap+kerboers)


Reply to: