Tracking Forums, Newsgroups, Maling Lists
Home Scripts Tutorials Tracker Forums
  Advanced Search
  HOME    TRACKER    Linux


Advertisements:










Red Hat :: Kerberos Versus LDAP SSL - Benefits?


I am confused with the concept of Kerberos and LDAP SSL. I am in the midst of integrating my Unix box with the Active Directory hence the use of PAM_LDAP method. I understand that since it's non-secure transmission hence We use Kerberos to authenticate. If we already used kerberos to authenticate i.e. it means that the username/password is not transmitted in clear text. Why we still need LDAP SSL? What is the benefit?


View 3 Replies (Posted: 04-21-2011, 07:18 AM)

Sponsored Links:

Related Forum Messages For Linux category:
Security :: Kerberos Versus LDAP SSL
I am integrating my Unix box to the Windows AD using PAM_LDAP and Kerberos enabled. I was wondering, since Kerberos is enabled is there any point to enable SSL on my LDAP.conf? My understanding is that since Kerberos is enabled, therefore the username/password is sent securely there isn't any benefit of enabling SSL on the LDAP.conf? It's one of or another.

Posted: 04-21-2011, 08:49 AM

View 1 Replies!   View Related
Ubuntu Servers :: Kerberos - LDAP - NFS ?
I've currently got Ubuntu server configured so that clients can login using LDAP user accounts that I've created using ldapadduser (from the ldapscripts package).

I've also got NFS exports working so that /home can be exported to clients. Kerberos authentication is enabled for NFS and clients require a nfs/clienthostname.domain principal to be able to mount the NFS share.

However, I now realise that for LDAP users to be able to access the mount they need their own Kerberos principal. If I run kinit dan@DANBISHOP.ORG then I can access /home/dan as user dan otherwise I get permission denied.

My question then is how best to proceed... is there a way to configure the client/server so that once a client has mounted the nfs share using Kerberos, all users can access it without their own principal?

It seems more usual to create kerberos principles for all users, but then how does one manage users? Using ldapscripts is very easy, but if the admin then has to manually create kerberos principals everytime, it could become very tedious. Furthermore how do users change their password if kerberos is used for authentication?

Posted: February 7th, 2011

View 1 Replies!   View Related
OpenSUSE Network :: Kerberos + LDAP With YaST?
In the OpenSUSE documentation I red this very exciting chapter Chapter 6. Network Authentication with Kerberos That mentions "Using LDAP and Kerberos" which combined with NFSv4 would give my office net functionality of a M$ Win network.

We are still on 11.2 (we have no win clients at all) and I was testing different setups of 11.4 in VM, but I can't get YaST to configure the LDAP with Kerberos setup (our current setup does not use Kerberos only LDAP). Unfortunately I could not find any meaningful HOWTO on how to do it in SuSE. The page in docs involves editing config files, but I would like to avoid this, because from my former experience with Samba, as it would mean I cannot use yast anymore and that is sad.

Is there a way to configure LDAP + Kerberos (in terms of issuing of krb tickets at login) with YaST?

PS: I basically need Kerberos for NFS and Intranet site.

Posted: 26-May-2011 09:47

View 5 Replies!   View Related
Ubuntu Servers :: CANNOT Change Password, Kerberos + LDAP?
I have installed servers(10.04 LTS Server) with Kerberos + LDAP, now I can ssh to all those servers and login with kerberos principle. But when I want to change password, I got such error:

Code:
Current Kerberos password:
Enter new Kerberos password:
Retype new Kerberos password:
Password change rejected: Password not changed.
Kerberos database constraints violated while trying to change password.

passwd: Authentication token manipulation error
passwd: password unchanged
I have search this issue but cannot any useful information. Would someone give me a direction?

Posted: July 29th, 2010

View 1 Replies!   View Related
Ubuntu Networking :: Remote Authenticaiton / Login ~ LDAP - Kerberos?
I am interested learning about networks in Linux and prefer to use Ubuntu. I hope the title is reflects what I really need to know. If not sorry about that.I have an requirement, it is to have a server to handle authenticaition of users so generally users can use that server to use specific services such as login (to linux), mail (postfix) and perhaps a file server (to hold user data, lets say what we have on /home/[username])I did some reading, and it looks like I will need LDAP and Kerberos. But I couldn't get a good understanding on how to practically deploy such a service.I would be obliged if some you guys can give me some guidelines on how to achieve my goal. Topics I need to read, books I could refer would be a plus.To tell you some thing about me, I am not a *NIX guy, my knowledge is kinda just above basic.

Posted: July 27th, 2011

View 1 Replies!   View Related
Server :: Unable To Use DBUS After Changing LDAP/Kerberos/NSCD Settings
we're running an Ubuntu 10.04 LTS network on our company, authenticating against an Openldap/heimdal-kerberos server.Previously, the clients were authenticating against a Windows 2003 Domain without any problems.After modifying the krb.conf, ldap.conf, nsswitch.conf and nscd.conf files to authenticate the machines against the openldap/heimdal setup, we started experiencing strange problems.

One issue is, for example, the polkit-agent-gnome not starting. This component integrates policykit into gnome. It looks like the agent is unable to start due to some kind of delay with DBUS. Starting the agent manually keeps giving errors until about 70 seconds after login, when the agent can be started without problems. During the delay it is also impossible, for instance, to open the "shut down" menu on the top right of gnome. You can click on the menu, but nothing appears.Trying to start the polkit-agent manually gives these errors (I'll be attaching detailed errors when at work!):

Code:

DBus error org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken

GLIB ERROR ** default - Not enough memory to set up DBusConnection for use with GLib It really looks like DBus or something related to it is starting "too late" but I can't seem to find the reason. I'm pretty sure this has to do with some timings or whatever in the krb/ldap config files...

Posted: 04-23-2011, 03:24 AM

View 3 Replies!   View Related
Fedora Installation :: LDAP - NIS - Kerberos - Add Mint Machines To Server To Use New Security Settings
I wish to setup a network that works like windows but for with lunix of course!. It will need to be able to handle security/DNS/DHCP & Document store from one location. I've been doing some reading and have found that I think I need to be using one of the following:

LDAP
NIS
Kerberos

I have looked at a few Linux based OS's. I did notice that when you install fedora live desktop it gives you the option to connect to one of the above. So I am looking for a complete solution.

1. How to setup fedora to act as server for my needs (or other Linux build)

2. Add fedora/linux mint machines to server to use new security settings. (or other linux build)

Posted: 10th December 2009, 07:49 PM

View 3 Replies!   View Related
Security :: Kerberos And LDAP - Users Will Be Able To Login In To A Server On The Edge Of The LAN And Establish A SSH Connection
I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.

1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?

2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this: ktadd host/client.example.com Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?

3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?

4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?

Posted: 02-19-2010, 07:46 AM

View 2 Replies!   View Related
Red Hat :: Configuring Ldap Client / Getting "error Ldap_sasl_bind: Can't Contact LDAP Server?
i have configured ldapserver on rhel4 for creating address book

following are configuration files on ldap server
/etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema

i am able to import this ldif file into database.also when i perform the ldapsearch on this server with command"ldapsearch �x �W �D �cn=manager, dc=example, dc =com� �b �dc=example, dc=com�" i get correct output.

but when i am trying to search from another client machine, i am getting "error ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)"

also when i configured address book on mozilla on server., it is working fine.but not working on another machine.is any configuration is missing on client machine.both ldap server and client are configured on rhel4es without any firewall or selinux.

Posted: 03-13-2010, 05:36 AM

View 3 Replies!   View Related
Networking :: Security And Privacy Benefits To P2P?
Has anyone worked in building p2p apps and protocols? I'm talking an actual p2p network of physical devices that is strictly p2p, no servers for most things. Are there security and privacy benefits to p2p? How are addresses handled, like say you want to send a message to a specific friend but you don't have the relatively static IP system in the Internet. How are those things handled?

Posted: 10-22-2010

View 1 Replies!   View Related
Ubuntu :: Benefits Of Wiping Out Windows?
What are the benefits of wiping out windows and have your system running on linux only?

Posted: February 10th, 2010

View 9 Replies!   View Related
Red Hat / Fedora :: Benefits Of Using RHEL 5.5 Instead Of F8 On Server?
I have to investigate the technical benefits of using RHEL 5.5 instead of Fedora 8 on our servers. So any specific reasons with proper justification?

Posted: 06-14-2010

View 4 Replies!   View Related
Ubuntu :: Benefits Of Setting Up Own DNS Server?
I've found plenty of how to's and information on setting up a DNS Server, but what I can't find is how it would benefit me? So, that's just what I'm asking here. How would having my own DNS Server benefit me?

Posted: November 5th, 2010

View 1 Replies!   View Related
Fedora :: Benefits / Reasons To Upgrade To F15
What are the benefits to upgrading to F15 from F14 if any? Has there been some huge step forward in performance, security or some other reason that makes it worth while to upgrade? I know many people make the move simply because they wish to have the latest and greatest, but is there any reason specifically to upgrade to the latest and greatest?

Posted: 8th June 2011, 01:41 AM

View 14 Replies!   View Related
Server :: Config Ldap Client To Direct Its Authentication To Slave Ldap?
i have successful secure ldap replication but i could not make ldap client to direct its authentication to slave ldap

here is my config file on ldap client (i am not sure if it is the right place though)

ip : 192.168.1.183 is master ldap
ip : 192.168.1.185 is slave ldap
pico /etc/ldap/ldap.conf
#
# LDAP Defaults
code....

Posted: 04-05-2010, 06:15 AM

View 11 Replies!   View Related
OpenSUSE :: Ldap Via Yast - Ldap-sasl-interactive_bind_s - Local Error - 2
I took to yast to install ldap. I creating the CA cert, server key and server cert and specified them during the yast ldap server dialogs.

The firewall is open for ldap.

I also went through yast's ldap client ... though I didn't exactly see to anything (presuably it wrote up a configuration file somewhere).

However when trying use the basic ldap tools, like ldapwhoami. Well it doesn't connect and gives me the above error. Of coure the ldap db is unpopulated as yet, so it probably is not able to say who am at all. But ldapadd doesn't work either.

It seems to point to my SSL usage not being correct .. so I'm trying to double check that now.

Posted: 02-Jul-2010 08:00

View 2 Replies!   View Related
CentOS 5 Networking :: LDAP User Can't Login Remotely By SSH On LDAP/Samba PDC?
I installed CentOS 5.2 and then run yum update. I configured this server as LDAP/Samba primary domain controller. LDAP seems to be OK and for testing I am able to create users with:smbldap-tools useradd -am usernameI can ssh into the server as root and also as a Linux user which was locally created in the server. But ssh into the server as LDAP user fails (from a Fedora 11 machine) with "Permission denied, please try again", prompting again for password.Some data:

# rpm -qa | grep ldap
python-ldap-2.2.0-2.1
php-ldap-5.1.6-23.2.el5_3

[code]....

Posted: 2009/9/8 1:38

View 1 Replies!   View Related
Server :: Apache Authentication: Allow LDAP Group OR User Named Guest But Not All LDAP Users?
I am using RackMonkey to map out my lab. Unfortunately, due to RM limitations, every user who accesses the site has write access UNLESS they are logged in as a user named "guest". I currently have Apache allowing only the users (sysadmins) in an LDAP group access to RM, but I would like to allow read-only access for other users as well.I found mod_authn_anon, but I am having trouble combining the two authentication methods. I am using Apache 2.2.18 (compiled myself) on SLES 11.1.

This is the common part:

Code:

AuthType Basic
AuthBasicProvider ldap anon
Order allow,deny
Allow from all

This part by itself works for the LDAP authentication:

Code:

AuthName "System Admins"
AuthLDAPURL "ldaps://example.com/ou=ldap,o=example.com?mail" SSL
Require ldap-group cn=SysAdmins,ou=memberlist,ou=groups,o=example.com

This part works by itself for guest access:

Code:

Anonymous guest
Anonymous_VerifyEmail Off
Anonymous_MustGiveEmail Off
Anonymous_LogEmail on
Require valid-user

But if I have both of the previous blocks enabled at once, then guest access does not work. If I throw in a "Satisfy any", then I am not prompted for a username at all. How can I allow access to this LDAP group and to a user named "guest", but not allow all valid LDAP users to log in?

Posted: 05-25-2011, 09:04 AM

View 1 Replies!   View Related
Programming :: Ubuntu Hardy - Php-ldap - Can't Contact LDAP Server
I'm checking with a sniffer and there's activity going on between the client and the LDAP server... as a matter of fact, the sniffer shows that the search is producing one ldap item, however, php says it can't contact the ldap server (after it has bound and everything):

The script is working beautifully on another host with debian.

Posted: 11-28-2008, 01:47 PM

View 7 Replies!   View Related
Networking :: LDAP Configuration Error - Can't Connect To LDAP Server -1
I'm trying to set up a Linux server and I am new to this. I have gone through most of the configuration using SAMBA 3.0 and when I populate the ldap directory all I get this error before the password request:

Then when I perform an ldapsearch to see if the directory is populated I get this message:

I'm positive all my .conf files are done right.

Posted: 05-31-2010, 04:10 PM

View 3 Replies!   View Related
Ubuntu Networking :: IRC Channels - Benefits Of NFS Over CIFS?
I was asking around in some IRC channels earlier trying to develop some thoughts on how NFS is better than CIFS. I set up a FreeNAS file server, and that's where all of my data now resides on a pair of raided drives. That way my main desktop, which is kind of a power hog gaming rig, can be powered off since I pretty much live on my laptop now. Anyway, I began to tinker with CIFS and NFS. Since some family members in the household use Windows, I definitely need CIFS. But I wanted to bounce back to NFS too and check it out.

While I do think it's nice I don't have to worry about authentication to the NAS box when using NFS, it's still a little scary. Being that it's more of a trust method instead of actual authentication, truthfully all a user needs to get into your data is the path to your NFS share and a matching UID. I mean, am I wrong by saying this? Sure, it may seem like NFS is convenient, but this angle of it is a little scary. I just don't feel like that screams "secure."

On the flip side, you have CIFS, which uses a user authentication level. So I hit my little shortcut to my NAS and it asks me who I am. I log in and bam, I have connection. I can browse other folders on the share, etc. This is convenient because I do have a "public" share on here with a generic user. That way if friends come over and want to transfer something to me, I have them drop it in the public share and I later transfer it accordingly. Since there is a user level authentication, this to me seems a little more secure.

Speed wise I was a little concerned, as some users have said NFS is faster than CIFS. Well, they might be right. But I did a few bench tests here on my laptop, using the same exact share except one with CIFS one with NFS. I stayed in the exact same location and transferred the same 300mb file in each instance.

NFS - 1.7mb/s
CIFS - 1.5/mb/s

Not exactly enough to warrant a huge argument over, so I leave that argument along the road to be forgot about since it doesn't really have any bearing on this situation. I like things about both NFS and CIFS. I just want to know why is it "not optimal" to use a full blown CIFS setup even if you're using 100% Linux systems.

Posted: May 14th, 2011

View 4 Replies!   View Related
Fedora :: Benefits Of Smaller Specialized Kernel?
What are the benefits of a smaller specialized kernel? I know it will have a smaller memory footprint but will it actually affect performance in user-space at all?

Posted: 19th July 2011, 09:59 PM

View 3 Replies!   View Related
General :: Benefits Of Being System User Over Windows?
I want to know why people switch to linux or vice versa (back to windows)?
Also why YOU choose to use what you use?

Posted:

View 10 Replies!   View Related
General :: Openssh + PAM + LDAP Fails Only With LDAP Users?
I've compiled openssh-5.4p1 on RHEL 4.8 with Openssl 0.9.8m + pam It works perfect without pam (pam-0.77-66), both with password and public key auth. Whith pam enabled and LDAP (openldap-2.4.21, from scratch) something strange happens: system users: I can do ssh with both password and public key LDAP users: public key works for remote users, still I cannot do ssh with just password. I'm trying a custom PAM configuration, because the default one (even with authconfig + LDAP ) blocks ssh even with system users.

My pam SSHD configuration is:

#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass

[code]....

My LDAP users are ok: i can do "su - " remote LDAP (so that nss_ldap is OK), also getent passwd and getent group is ok.

Posted: 03-31-2010, 09:43 AM

View 2 Replies!   View Related
Copyright 2005-08 www.BigResource.com, All rights reserved