Login or Register to Ask a Question and Join Our Community


Red Hat

Centralize logins w/ openldap

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Linux Red Hat Centralize logins w/ openldap
# 1  
Old 06-03-2009
Centralize logins w/ openldap
This is my first time configuring it, can someone give me advice on how you would config the architecture? For example, I'm stuck on the fail back issue. If my openldap box goes down, how do my users log in. I've heard of the following two options.

1 - create local user accounts ... ok but doesn't this defeat the purpose of having a centralize login? Now I have to create 5 users for 40+ servers.

2 - create user accounts only on openldap and allow root access on server itself if openldap fails.

I like option two but I would like to disable direct access for root. So what are some ways to get around this? I know there isn't a right way or a wrong way but what's best practice?
# 2  
Old 06-03-2009
Giving users root access is a definite no! They could break the system or at least install a back door access to root while they have it...

Creating local accounts could be done easily by a script that gets a list of the users from LDAP while LDAP is working (or else have a cron job that dumps the account information into a file from LDAP for use by a script to create local accounts), the fun bit will be setting the users passwords if and when they need to use those local accounts!

Fall back could be a second or even clustered LDAP server or even dare I mention it a NIS server if you really must have a fallback system of a different type?
# 3  
Old 06-04-2009
Option 2 is definitely the best. And do NOT disable root access on each box or you might cripple the box if openldap is gone. Just make sure the local root account has a good password. Every openldap box I've touched has left the root account alone, and with good reason.

Quote:
Originally Posted by sdotsen
This is my first time configuring it, can someone give me advice on how you would config the architecture? For example, I'm stuck on the fail back issue. If my openldap box goes down, how do my users log in. I've heard of the following two options.

1 - create local user accounts ... ok but doesn't this defeat the purpose of having a centralize login? Now I have to create 5 users for 40+ servers.

2 - create user accounts only on openldap and allow root access on server itself if openldap fails.

I like option two but I would like to disable direct access for root. So what are some ways to get around this? I know there isn't a right way or a wrong way but what's best practice?
# 4  
Old 06-04-2009
Quote:
Option 2 is definitely the best. And do NOT disable root access on each box or you might cripple the box if openldap is gone. Just make sure the local root account has a good password. Every openldap box I've touched has left the root account alone, and with good reason.
I agree, do not totally remove root access, what you can do is prevent SSH'ing into the machine as root in the sshd_config file (in /etc/ssh or /usr/local/etc possibly) by setting:

PermitRootLogin=no

Then kill -1 the root sshd process to get it to see the configuration change.

For Solaris in /etc/default/login set the line:

CONSOLE=/dev/console

so that root access may only be gained at the console, not via telnet, rlogin, etc.

For RedHat the /etc/securetty file serves a similar purpose and just needs to exist to prevent root telnet, etc..
Last edited by TonyFullerMalv; 06-04-2009 at 06:48 PM..
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Red Hat

I want to centralize user authentication

Right now it is just a simple environment consisting of a small number of CentOS boxes, but I would like to set up central user authentication to make things easier, especially as we expand (I've already budgeted to triple our local infrastructure and we will be also expanding geographically to... (1 Reply)
Discussion started by: xdawg
1 Replies

2. Red Hat

Openldap 2.4.31 replication

Hi, I have done setup for openldap master and slave. Its working fine and replicating also. But it is working only with plane text password in syncrepl . How we can use encrypted password here also like we are using in rootpw ? Below portion is working. syncrepl rid=101 ... (3 Replies)
Discussion started by: Priy
3 Replies

3. Solaris

Openldap configuration

I m using Intel solaris 10 version . I m trying to install openldap and used several documents and package versions . But every time I got CC PATH error and while I solved the CC issue , I got Barkley DB error . :wall: Is there any perticular site from where I can install and configure... (1 Reply)
Discussion started by: sanjee
1 Replies

4. Solaris

OpenLDAP setup

At work I'm been givin the task to move are backend servers from NIS to LDAP. We have mostly Solaris 10 servers, as well as a few Redhat servers. I am going to use openLDAP as the LDAP server. I'm looking for a good how to guide on setting up the openLDAP server. Most of the docs I have found seem... (0 Replies)
Discussion started by: bitlord
0 Replies

5. Red Hat

Need OpenLDAP Help

Hi, all: I'm studying for the RHCE and have hit the section on configuring an OpenLDAP client. I'd like to practice this, but I can't get an OpenLDAP server set up. I followed the directions in RedHat's Deployment Guide, and it looks like the server is up and running, but I can't get the... (0 Replies)
Discussion started by: rjlohman
0 Replies

6. UNIX for Advanced & Expert Users

Centralize multiple servers administration

Hello, this is my first post, i´m trying to get some help on this issue. I´m looking for a software product (maybe SUN or TIVOLI) that provide me help on doing administrative tasks involving solaris, aix , linux & HPUX machines. This tasks are user/password creation/modification, SSH rights,... (2 Replies)
Discussion started by: amedran
2 Replies

7. Solaris

Centralize multiple servers administration

Hello, this is my first post, i´m trying to get some help on this issue. I´m looking for a software product (maybe SUN or TIVOLI) that provide me help on doing administrative tasks involving solaris, aix , linux & HPUX machines. This tasks are user/password creation/modification, SSH rights,... (1 Reply)
Discussion started by: amedran
1 Replies

8. AIX

openLDAP with Aix

hello I have a P570 with 3 partitions. These partitions are available, since 1 year. So there are a lot of users, files, etc, on these partition I must now install an openldap with Debian to manage all these users. But several pb: on LDAP, we are 1 iud for user and one home directory, 1 gid... (0 Replies)
Discussion started by: pascalbout
0 Replies

9. UNIX for Advanced & Expert Users

OpenLDAP and Apache

Hello! I'm starting to panic here! I'm trying to authorize Subversion (via apache) users at my company here via LDAP. Sure everything works when just authorizing users with require valid-user But! That is not what I'm looking for, I wish to Authorize by membership in specifik groups... This... (0 Replies)
Discussion started by: Esaia
0 Replies

10. UNIX for Dummies Questions & Answers

Help with logins

Could someone please tell me what I would have to do so I can dial in to Solaris through a modem and login? Thanks in advance. Jomar (2 Replies)
Discussion started by: crispyco
2 Replies
Login or Register to Ask a Question