<html><body><div style="font-family: Arial; font-size: 12pt; color: #000000"><div aria-label="Compose body">Hey all, I appreciate the responses/discussion, I have a little bit more to think about now. You are correct, this is a local filesystem that I'm working with. And if I'm interpreting my boss correctly, I think that the solution that he has in mind is not as involved as implementing Kerberos.<br><br>One thing that I've started to wonder about - would it be easier to utilize LDAP permissions if I provided access to the filesystem via a web interface?? Just thinking out loud here <em>(OK, "grasping for straws" might be a more-appropriate phrase...)</em><br><br>I'd be glad to hear anyone else's thoughts on this as well...<br><br>Thanks again!<br></div><div><br></div><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;" data-mce-style="color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;"><b>From: </b>"Dan Kulinski" <daniel@kulinski.net><br><b>To: </b>"CLUE's mailing list" <clue@cluedenver.org><br><b>Sent: </b>Wednesday, September 14, 2016 11:08:49 AM<br><b>Subject: </b>Re: [clue] Filesystems + LDAP permissions???<br><div><br></div><div dir="ltr"><div><div><div>Raymond,<br><div><br></div></div>Good point on the local filesystem, I was under a bad assumption that this was a network file system. You can support ACLs at the local file system level but I don't know if they can be set to have kerberos based security. At some point the LDAP user is mapped to a UID/GID (hopefully based on a UNIX compatible LDAP schema) and using ACLs should grant the protection needed. <br><div><br></div>You are absolutely correct about an IPA type of setup for this. <br><div><br></div></div>Thanks,<br></div> Dan<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 14, 2016 at 10:02 AM, Raymond DeRoo <span dir="ltr"><<a href="mailto:rderoo@deroo.net" target="_blank" data-mce-href="mailto:rderoo@deroo.net">rderoo@deroo.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" data-mce-style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;">Dan,<br> <span class=""><br> > Generally NFSv4 can be configured to use kerberos for authorization. This can be used in conjunction with LDAP accounts.<br> <br> </span>This is my understanding as well, however in addition isn’t IPA also needed of the kerberos realm -> LDAP schema? Perhaps I misunderstood the OP, but I thought the desire was for the local file system. I support it would be possible to run NFS locally and then use LDAP/IPA to authenticate uses…<br> <br> Now I’m even more interested in what the file solution looks like.<br> <br> Kind regards,<br> Raymond<br><div class="HOEnZb"><div class="h5"><br> _______________________________________________<br> clue mailing list: <a href="mailto:clue@cluedenver.org" target="_blank" data-mce-href="mailto:clue@cluedenver.org">clue@cluedenver.org</a><br> For information, account preferences, or to unsubscribe see:<br> <a href="http://cluedenver.org/mailman/listinfo/clue" rel="noreferrer" target="_blank" data-mce-href="http://cluedenver.org/mailman/listinfo/clue">http://cluedenver.org/mailman/listinfo/clue</a><br data-mce-bogus="1"></div></div></blockquote></div><br></div><br>_______________________________________________<br>clue mailing list: clue@cluedenver.org<br>For information, account preferences, or to unsubscribe see:<br>http://cluedenver.org/mailman/listinfo/clue</div><div><br></div></div></body></html>