Re: LDAP Auth?

From: Corey Donohoe (
Date: 07/27/02

Date: Fri, 26 Jul 2002 19:04:09 -0500
From: Corey Donohoe <>
To: Drew Smith <>

* Drew Smith ( wrote:
> I'm considering implementing LDAP authentication across our network of
> about 15 Red Hat machines. Problem is, I've never really used LDAP or
> been in an environment that uses it. I'm not new to Linux, network
> administration, or security, but I've got a few questions... does anyone
> use this on a reasonably wide scale, that could answer a few questions
> for me, and perhaps discuss a bit of the ups and downs of this kind of
> centralized authentication?
This is all from my expierience with openldap, can't really speak for
much else.

ups - ssl, built in replication, acls
downs - is not the most intuitive setup at first

> I understand that it's possible to authenticate against an LDAP server;
> where I'm fuzzy is the administration of the users' environment. PAM
> does it's thing, but should a user successfully authenticate, I assume I
> still need a home directory for them? NFS-mounting a home directory is
> not really a great idea, given that the machines are separated by great
> distances.
Yeah you can still manually create their home directories on each
machine. It's a little more administration, but you don't *need* to
have home directories mounted over nfs.
> We currently use SSH keys for authentication in most cases. Will this
> integrate well with LDAP, or will the two cause me headaches? Can I
> store the public keys in a table somehow, and turn on/off access to a
> machine at the LDAP level?
I think I remember seeing host based restrictions somewhere along the
line, but prolly shouldn't say yes. Your ssh keys will work fine.
No i'm not aware of anyway to store keys in a directory and
enable/disable them whenver you want. I saw something on uploading pgp
keys though. Depending on how coding inclined you are you might be able
to whip up your own little app to do some dirty work for you. ldap2dns
comes to mind as something you might wanna look at as an example.
> Many of our users work from home sometimes, and cablemodem IPs tend to
> change rapidly, especially on Windows machines. Is it possible to have
> iptables or something similar query a table in the LDAP directory, so
> that I can change the firewall in one place, instead of fifteen?
that would probably need something custom, but it's not impossible.
> I am the only fulltime administrator, taking the place of
> administrator/programmers - they are very capable, but tend to fix
> things with custom-coded solutions. We continue to grow at a rapid
> rate, and I need to plan for maximum growth; I'd appreciate any
> suggestions or discussion along these lines.
Figure out what you need now, figure out where you need to be able to
grow. You sound like you have the resources to do the stuff you
> My apologies if this seems off-topic; I'll gladly desist if requested,
> but since the list is a little slow lately, why not discuss
> security-related issues from a non-emergency point of view? :)
I'd be curious to hear what other people think too.

Corey Donohoe