LDAP Auth?

From: Drew Smith (drew@eastvan.bc.ca)
Date: 07/24/02


From: Drew Smith <drew@eastvan.bc.ca>
To: focus-linux@securityfocus.com
Date: 23 Jul 2002 16:56:07 -0600


        Hey folks,

        I'm considering implementing LDAP authentication across our network of
about 15 Red Hat machines. Problem is, I've never really used LDAP or
been in an environment that uses it. I'm not new to Linux, network
administration, or security, but I've got a few questions... does anyone
use this on a reasonably wide scale, that could answer a few questions
for me, and perhaps discuss a bit of the ups and downs of this kind of
centralized authentication?

        I understand that it's possible to authenticate against an LDAP server;
where I'm fuzzy is the administration of the users' environment. PAM
does it's thing, but should a user successfully authenticate, I assume I
still need a home directory for them? NFS-mounting a home directory is
not really a great idea, given that the machines are separated by great
distances.

        We currently use SSH keys for authentication in most cases. Will this
integrate well with LDAP, or will the two cause me headaches? Can I
store the public keys in a table somehow, and turn on/off access to a
machine at the LDAP level?

        Many of our users work from home sometimes, and cablemodem IPs tend to
change rapidly, especially on Windows machines. Is it possible to have
iptables or something similar query a table in the LDAP directory, so
that I can change the firewall in one place, instead of fifteen?

        I am the only fulltime administrator, taking the place of
administrator/programmers - they are very capable, but tend to fix
things with custom-coded solutions. We continue to grow at a rapid
rate, and I need to plan for maximum growth; I'd appreciate any
suggestions or discussion along these lines.

        My apologies if this seems off-topic; I'll gladly desist if requested,
but since the list is a little slow lately, why not discuss
security-related issues from a non-emergency point of view? :)

        Cheers,
        - Drew.

-- 
Drew Smith (mux) <drew@riotnrrd.com>
Encrypted e-mail preferred - finger for public key.
5801 7134 B54C 3D71 EBE1 CE24 F4DB 2528 5A46 A31B