Where to start setting up?

S

sazhyk2017-07-11 11:15:15

Debian

sazhyk, 2017-07-11 11:15:15

There is a desire to join the setup of "pass-through authorization" (SSO). I chose a bunch of OpenLDAP + MIT Kerberos for experiments. Naturally replication and OpenLDAP, and Kerberos. That is, the scheme is approximately the following:
Machine1 (master)
|--- ldap1.site.ru
|----kdc1.site.ru
Machine2 (slave)
|--- ldap2.site.ru
|----kdc2. site.ru There are a lot
of manuals for setting up services separately, there are no problems with this. Unfortunately, there is no way to understand what is being configured for what and in what sequence. The Kerberos docs describe that we first set up Kerberos, and then openldap as the base for storing users. In the openldap setup, the opposite is true.
So far, the following schemes of work are in the understanding:
1. First I set up slapd on both machines, set up OpenLDAP replication, then set up Kerberos and its replication.
2. First I configure slapd on both machines, I configure Kerberos. And in Kerberos I already set up what and how should be replicated. (if at all possible)
Tell me the algorithm of actions.
What in practice is preferable to configure first?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Axian Ltd., 2017-07-11
@AxianLTD

I would take freeipa - it will be more useful and easier to configure in most cases.

V

Vladimir Zhurkin, 2017-07-13
@icCE

Just define for yourself: openldap is a directory access protocol and Kerberos is a network authentication protocol.
What to set up first? Well, look, if we set up Kerberos first, we can authenticate, and then we need to go through authorization. The question is who will do it? Need Ldap. Ldap can work without Kerberos and perform authorization, but this is not considered secure, so we use authentication. Chicken and egg problem :) I usually always configure kerberos initially, and then ldap. Since kerberos can be used not only for ldap, but for example for ssh.