wirelessd...@gmail.com - 12.11.18, 01:26: > On Fri, 9 Nov 2018 at 17:20, Martin Steigerwald <mar...@lichtvoll.de> wrote: > > Héctor González - 09.11.18, 00:02: > > > >> Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): […] > > Or use sssd, in case it can be installed without pulling libsystemd0 > > / systemd. But for that you'd need to create configuration file by > > hand. It is not very difficult, but it would configure with debconf > > questions like nslcd does. > > > > It may be an option to use 389 directory server instead of OpenLDAP. > > SUSE just made that move with SLES 15. And it has a GUI. I did not > > yet test it more thoroughly, so I have nothing more to say about > > it. > 389 DS is part of the FreeIPA system, and my limited reading of it > previously was that it's not so fabulous when running on non-redhat > systems, hence why I decided to look at alternatives.
There are freeipa packages in Debian Unstable, but currently not in testing. So maybe next Debian release has it, but depends on whether maintainers can fix whatever the cause is why it is not in Testing right now. > > Of course, if Kerberos is used, I'd use libpam-krb5, libpam-heimdal > > or libpam-shishi instead of libnss-ldapd. As nslcd recommends > > libpam-krb5, it might work together with it. > > > > Of course Samba as AD DC (ideally together with Heimdal instead of > > MIT Kerberos) is also an option. > > > > From what I saw with preparing training slides for all of these: I'd > > like something simpler, still secure for all of that. Kerberos and > > LDAP are hefty regarding their complexity. > > Can kerberos integrate with an existing OpenLDAP database, or would I > have to maintain two separate user databases? I have seen a module for Kerberos, I am not sure whether it was MIT or Heimdal, to store Kerberos data in LDAP tree. I did not test it so far. If it is not integrated, you have to create each user in LDAP and in Kerberos. It should be possible to make password upgrades work in both cases. > After a lot of reading, I'm still not sure how to implement Kerberos > properly with LDAP. A lot of guides show how to install kerberos as a > standalone system, and when they also say "kerberos is often used > with OpenLDAP" they always include the proviso "but we won't describe > how to do that in this guide". Well… that is one of the reason I am teaching this stuff in a course here in Germany. There are some third party books about Kerberos that may help. I did not order any so far, so can't say much more than that. Ciao, -- Martin _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
