<html><head></head><body><div style="color:#000; background-color:#fff; font-family:lucida console, sans-serif;font-size:13px"><div><span></span></div><div><span>Note: I was also working on RHEL 6.x </span></div><div id="yui_3_16_0_ym19_1_1473877302545_23222"><span><br></span></div><div id="yui_3_16_0_ym19_1_1473877302545_23190"><span id="yui_3_16_0_ym19_1_1473877302545_23221">Maybe RHEL 7.x has better and supported solutions using IPA, etc. from RH</span></div><div id="yui_3_16_0_ym19_1_1473877302545_23190"><span><br></span></div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: lucida console, sans-serif; font-size: 13px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Wednesday, September 14, 2016 2:27 PM, Mark G. Harvey <markgharvey@yahoo.com> wrote:<br></font></div> <br><br> <div class="y_msg_container"><div id="yiv8318598720"><div><div style="color:#000;background-color:#fff;font-family:lucida console, sans-serif;font-size:13px;"><div id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19522"><span></span></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19522"><span id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_21286">" isn’t IPA also needed of the kerberos realm -> LDAP schema? " I believe Raymond is correct. <br clear="none"></span></div><div id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19522"><span><br clear="none"></span></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19522"><span id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_20156" style="font-size:13px;">As someone who's attempted to link AD to a RHEL LDAP system, I can tell you it is a real pain. It can be done with IPA / FreeIPA, ( </span><a rel="nofollow" shape="rect" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_20158" target="_blank" href="http://www.freeipa.org/page/Main_Page" style="font-size:13px;background-color:rgb(255, 255, 255);">http://www.freeipa.org/page/Main_Page</a><span id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_20516" style="font-size:13px;"> ) but I would not call it a solid solution. At the time, the customer had a support contract with RH, & we had cases open with them, but I didn't fine them helpful. </span></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19522"><span id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_21668" style="font-size:13px;"><br clear="none">I also found that using ACLs can complicate the issue. Recommend focusing on the LDAP side first. Maybe you won't need the ACLs. </span><br clear="none"></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19519"><span><br clear="none"></span></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><span>An evaluation of solutions: </span><a rel="nofollow" shape="rect" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19979" target="_blank" href="http://solutionsreview.com/identity-management/" style="font-size:13px;background-color:rgb(255, 255, 255);">http://solutionsreview.com/identity-management/</a></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><br clear="none"></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614">When I did the work above, the customer turned down a turn key solution. </div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><span style="font-size:13px;">Free Security and Authentication Solutions -- </span><span style="font-size:13px;">EXPRESS FOR LINUX AND UNIX</span><br clear="none"></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><a rel="nofollow" shape="rect" target="_blank" href="https://www.centrify.com/express/">https://www.centrify.com/express/</a><br clear="none"></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><br clear="none"></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_20407"><a rel="nofollow" shape="rect" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_20408" target="_blank" href="http://centrifying.blogspot.com/">http://centrifying.blogspot.com/</a><br clear="none" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_20409"></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_20410"><br clear="none" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_20411"></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><span id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_20671">There are cloud based solutions from Ping Identity & JumpCloud, but you might want something less expensive & that works locally. </span></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><span><br clear="none"></span></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><span id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_22072">I also discovered Forge Rock has open community projects. </span></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><span><a rel="nofollow" shape="rect" target="_blank" href="https://forgerock.org/">https://forgerock.org/</a><br clear="none"></span></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614">I've not had a chance to check them out. <span><br clear="none"></span></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><span><br clear="none"></span></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><span>Tools for connecting to your LDAP system. </span></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><span><br clear="none">jXplorer , java based </span></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><span><a rel="nofollow" shape="rect" target="_blank" href="http://jxplorer.org/">http://jxplorer.org/</a><br clear="none"></span></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><br clear="none">Apache Directory Studio</div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><a rel="nofollow" shape="rect" target="_blank" href="http://directory.apache.org/">http://directory.apache.org/</a><br clear="none"></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><span><br clear="none">Hope this is helpful I </span><span id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_22071" style="font-size:13px;">looking forward to seeing your solution. </span></div><div dir="ltr" id="yiv8318598720yui_3_16_0_ym19_1_1473877302545_19614"><span><br clear="none"></span></div> <div class="yiv8318598720qtdSeparateBR"><br clear="none"><br clear="none"></div><div class="yiv8318598720yahoo_quoted" style="display:block;"> <div style="font-family:lucida console, sans-serif;font-size:13px;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div class="yiv8318598720yqt2545335604" id="yiv8318598720yqtfd64644"><div dir="ltr"><font size="2" face="Arial"> On Wednesday, September 14, 2016 11:09 AM, Dan Kulinski <daniel@kulinski.net> wrote:<br clear="none"></font></div> <br clear="none"><br clear="none"> <div class="yiv8318598720y_msg_container"><div id="yiv8318598720"><div><div dir="ltr"><div><div><div>Raymond,<br clear="none"><br clear="none"></div>Good point on the local filesystem, I was under a bad assumption that this was a network file system. You can support ACLs at the local file system level but I don't know if they can be set to have kerberos based security. At some point the LDAP user is mapped to a UID/GID (hopefully based on a UNIX compatible LDAP schema) and using ACLs should grant the protection needed. <br clear="none"><br clear="none">You are absolutely correct about an IPA type of setup for this. <br clear="none"><br clear="none"></div>Thanks,<br clear="none"></div> Dan<br clear="none"></div><div class="yiv8318598720yqt0409599511" id="yiv8318598720yqt46498"><div class="yiv8318598720gmail_extra"><br clear="none"><div class="yiv8318598720gmail_quote">On Wed, Sep 14, 2016 at 10:02 AM, Raymond DeRoo <span dir="ltr"><<a rel="nofollow" shape="rect" ymailto="mailto:rderoo@deroo.net" target="_blank" href="mailto:rderoo@deroo.net">rderoo@deroo.net</a>></span> wrote:<br clear="none"><blockquote class="yiv8318598720gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Dan,<br clear="none">
<span class="yiv8318598720"><br clear="none">
> Generally NFSv4 can be configured to use kerberos for authorization. This can be used in conjunction with LDAP accounts.<br clear="none">
<br clear="none">
</span>This is my understanding as well, however in addition isn’t IPA also needed of the kerberos realm -> LDAP schema? Perhaps I misunderstood the OP, but I thought the desire was for the local file system. I support it would be possible to run NFS locally and then use LDAP/IPA to authenticate uses…<br clear="none">
<br clear="none">
Now I’m even more interested in what the file solution looks like.<br clear="none">
<br clear="none">
Kind regards,<br clear="none">
Raymond<br clear="none">
<div class="yiv8318598720HOEnZb"><div class="yiv8318598720h5"><br clear="none">
______________________________ _________________<br clear="none">
clue mailing list: <a rel="nofollow" shape="rect" ymailto="mailto:clue@cluedenver.org" target="_blank" href="mailto:clue@cluedenver.org">clue@cluedenver.org</a><br clear="none">
For information, account preferences, or to unsubscribe see:<br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="http://cluedenver.org/mailman/listinfo/clue">http://cluedenver.org/mailman/ listinfo/clue</a></div></div></blockquote></div><br clear="none"></div></div></div></div><br clear="none"><div class="yiv8318598720yqt0409599511" id="yiv8318598720yqt79598">_______________________________________________<br clear="none">clue mailing list: <a rel="nofollow" shape="rect" ymailto="mailto:clue@cluedenver.org" target="_blank" href="mailto:clue@cluedenver.org">clue@cluedenver.org</a><br clear="none">For information, account preferences, or to unsubscribe see:<br clear="none"><a rel="nofollow" shape="rect" target="_blank" href="http://cluedenver.org/mailman/listinfo/clue">http://cluedenver.org/mailman/listinfo/clue</a></div><br clear="none"><br clear="none"></div> </div></div><div class="yiv8318598720yqt2545335604" id="yiv8318598720yqtfd29988"> </div></div><div class="yiv8318598720yqt2545335604" id="yiv8318598720yqtfd85197"> </div></div></div></div></div><br><br></div> </div> </div> </div></div></body></html>