[clue] Filesystems + LDAP permissions???

foo7775 at comcast.net foo7775 at comcast.net
Thu Sep 15 22:47:29 MDT 2016 

Hey all, I appreciate the responses/discussion, I have a little bit more to think about now. You are correct, this is a local filesystem that I'm working with. And if I'm interpreting my boss correctly, I think that the solution that he has in mind is not as involved as implementing Kerberos. 

One thing that I've started to wonder about - would it be easier to utilize LDAP permissions if I provided access to the filesystem via a web interface?? Just thinking out loud here (OK, "grasping for straws" might be a more-appropriate phrase...) 

I'd be glad to hear anyone else's thoughts on this as well... 

Thanks again! 

----- Original Message -----

From: "Dan Kulinski" <daniel at kulinski.net> 
To: "CLUE's mailing list" <clue at cluedenver.org> 
Sent: Wednesday, September 14, 2016 11:08:49 AM 
Subject: Re: [clue] Filesystems + LDAP permissions??? 

Raymond, 

Good point on the local filesystem, I was under a bad assumption that this was a network file system. You can support ACLs at the local file system level but I don't know if they can be set to have kerberos based security. At some point the LDAP user is mapped to a UID/GID (hopefully based on a UNIX compatible LDAP schema) and using ACLs should grant the protection needed. 

You are absolutely correct about an IPA type of setup for this. 

Thanks, 
Dan 

On Wed, Sep 14, 2016 at 10:02 AM, Raymond DeRoo < rderoo at deroo.net > wrote: 


Dan, 

> Generally NFSv4 can be configured to use kerberos for authorization. This can be used in conjunction with LDAP accounts. 

This is my understanding as well, however in addition isn’t IPA also needed of the kerberos realm -> LDAP schema? Perhaps I misunderstood the OP, but I thought the desire was for the local file system. I support it would be possible to run NFS locally and then use LDAP/IPA to authenticate uses… 

Now I’m even more interested in what the file solution looks like. 

Kind regards, 
Raymond 

_______________________________________________ 
clue mailing list: clue at cluedenver.org 
For information, account preferences, or to unsubscribe see: 
http://cluedenver.org/mailman/listinfo/clue 





_______________________________________________ 
clue mailing list: clue at cluedenver.org 
For information, account preferences, or to unsubscribe see: 
http://cluedenver.org/mailman/listinfo/clue 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20160916/69dd7665/attachment.html

More information about the clue mailing list