[clue] Filesystems + LDAP permissions???

Mark G. Harvey markgharvey at yahoo.com
Wed Sep 14 14:29:57 MDT 2016


Note:  I was also working on RHEL 6.x  
Maybe RHEL 7.x has better and supported solutions using IPA, etc. from RH
 

    On Wednesday, September 14, 2016 2:27 PM, Mark G. Harvey <markgharvey at yahoo.com> wrote:
 

 " isn’t IPA also needed of the kerberos realm -> LDAP schema? "  I believe Raymond is correct.  

As someone who's attempted to link AD to a RHEL LDAP system, I can tell you it is a real pain.  It can be done with IPA / FreeIPA, ( http://www.freeipa.org/page/Main_Page ) but I would not call it a solid solution.  At the time, the customer had a support contract with RH, & we had cases open with them, but I didn't fine them helpful. 
I also found that using ACLs can complicate the issue.  Recommend focusing on the LDAP side first.  Maybe you won't need the ACLs.  

An evaluation of solutions:  http://solutionsreview.com/identity-management/
When I did the work above, the customer turned down a turn key solution.  Free Security and Authentication Solutions -- EXPRESS FOR LINUX AND UNIX
https://www.centrify.com/express/

http://centrifying.blogspot.com/

There are cloud based solutions from Ping Identity & JumpCloud, but you might want something less expensive & that works locally. 
I also discovered Forge Rock has open community projects.  https://forgerock.org/
I've not had a chance to check them out.  

Tools for connecting to your LDAP system.  
jXplorer , java based http://jxplorer.org/

Apache Directory Studiohttp://directory.apache.org/

Hope this is helpful  I looking forward to seeing your solution.  
 

    On Wednesday, September 14, 2016 11:09 AM, Dan Kulinski <daniel at kulinski.net> wrote:
 

 Raymond,

Good point on the local filesystem, I was under a bad assumption that this was a network file system.  You can support ACLs at the local file system level but I don't know if they can be set to have kerberos based security. At some point the LDAP user is mapped to a UID/GID (hopefully based on a UNIX compatible LDAP schema) and using ACLs should grant the protection needed.  

You are absolutely correct about an IPA type of setup for this.  

Thanks,
  Dan

On Wed, Sep 14, 2016 at 10:02 AM, Raymond DeRoo <rderoo at deroo.net> wrote:

Dan,

> Generally NFSv4 can be configured to use kerberos for authorization.  This can be used in conjunction with LDAP accounts.

This is my understanding as well, however in addition isn’t IPA also needed of the kerberos realm -> LDAP schema? Perhaps I misunderstood the OP, but I thought the desire was for the local file system. I support it would be possible to run NFS locally and then use LDAP/IPA to authenticate uses…

Now I’m even more interested in what the file solution looks like.

Kind regards,
Raymond

______________________________ _________________
clue mailing list: clue at cluedenver.org
For information, account preferences, or to unsubscribe see:
http://cluedenver.org/mailman/ listinfo/clue


_______________________________________________
clue mailing list: clue at cluedenver.org
For information, account preferences, or to unsubscribe see:
http://cluedenver.org/mailman/listinfo/clue

   

   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20160914/f380b8b4/attachment-0001.html 


More information about the clue mailing list