LDAP for Services
Hello,
My goal has been a consistent replicated single sign on for my system,
and more importantly, a means of orchestrating that. Originally I made
a very painful web script to add users or allow users to change all
their passwords at once, but, in spite of its elegance, it was in fact a
kludge.
After much ado, I finally got LDAP using GSSAPI/SASL to lookup
authentication information from my Heimdal Kerberos database. To test,
I got ProFTPd working off LDAP (although hopefully mod_gssapi will be
added to debian some day). Regardless, it works, and soon I will begin
adding Samba, PAM, email, and a variety of web service stuff revolving
around the merry union of kerberos & ldap.
My question is as follows: How can i orchestrate my ldap database to
give users access to a limited domain of services? If I want someone to
be able to use NFS and ProFTP, but not let them login, samba-in, or
email, is there anything I can do within the LDAP framework to make this
possible?
Are such centralized systems ever used? What is the securit standpoint?
I'm not sure whether I'm placing all my eggs in one basket (crack one,
crack all) or replacing many potential fault in my armor (many passwd's
for each service) with one piece of armor (ldap+kerboers)
Thanks
Myren
Reply to: