Hey folks,
What is the best way to manage users across multiple CentOS boxes?
Ideally what I'd like to be able to do is have central control over who has access to which box from a minute-to-minute basis. e.g. User X needs access to Box A for 30 minutes - clickity, clickity and they have access for that long after which their access is automatically turned off.
thanks, -Alan
On 11/04/2009 02:50 PM, Alan McKay wrote:
What is the best way to manage users across multiple CentOS boxes?
If thats all you need in place, a ldap based setup would work - perhaps even CDS
If thats all you need in place, a ldap based setup would work - perhaps even CDS
Could you point me at examples of either of these?
It is not clear to me where LDAP comes in - for authentication I guess. But what about managing the password files? Or does one not have to do that?
If thats all you need in place, a ldap based setup would work - perhaps even CDS
Could you point me at examples of either of these?
It is not clear to me where LDAP comes in - for authentication I guess. But what about managing the password files? Or does one not have to do that?
Only on the LDAP master server. Once configured, all users have only one source for usernames and passwords; change it there, and it's visible everywhere.
mark
OK, google comes up with what looks like some easy HOWTOs for LDAP
I'll dig in and come back with questions as required
OK, google comes up with what looks like some easy HOWTOs for LDAP
I'll dig in and come back with questions as required
Don't believe it.
The fall of '06, my manager and the other admin and I were discussing what to use for single sign-on. NIS has way too many holes, and no one was wild about NIS+, so, though none of us had dealt with it before, I though LDAP was the wave o' the future, and offered to implement it. A month or so later, and *lots* of grief and hair tearing (and I ain't got none to spare), I got it in. openLDAP's docs were *way* insufficient, and the tools that come with it are *not* ready for prime time, and user-surly, to say the least.
It works, though.
mark
m.roth@5-cent.us wrote:
OK, google comes up with what looks like some easy HOWTOs for LDAP
I'll dig in and come back with questions as required
Don't believe it.
The fall of '06, my manager and the other admin and I were discussing what to use for single sign-on. NIS has way too many holes, and no one was wild about NIS+, so, though none of us had dealt with it before, I though LDAP was the wave o' the future, and offered to implement it. A month or so later, and *lots* of grief and hair tearing (and I ain't got none to spare), I got it in. openLDAP's docs were *way* insufficient, and the tools that come with it are *not* ready for prime time, and user-surly, to say the least.
It works, though.
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Mark, I too have experienced this PAIN!!! However I never quite got it done, always seemed real close but not quite. Did you document?? I am now trying the RH / Fedora DS - no problem getting it installed but configuration........ Any pointers to docs that actually work. I have purchased books, read magazines and spent probably 100+ hours only to run out of time and energy. It remains on my 'to do' list. Thanks for any pointers. Rob
m.roth@5-cent.us wrote:
OK, google comes up with what looks like some easy HOWTOs for LDAP
I'll dig in and come back with questions as required
Don't believe it.
The fall of '06, my manager and the other admin and I were discussing what to use for single sign-on. NIS has way too many holes, and no one was wild about NIS+, so, though none of us had dealt with it before, I though LDAP was the wave o' the future, and offered to implement it. A month
or so
later, and *lots* of grief and hair tearing (and I ain't got none to spare), I got it in. openLDAP's docs were *way* insufficient, and the tools that come with it are *not* ready for prime time, and user-surly, to say the least.
It works, though.
I too have experienced this PAIN!!! However I never quite got it done, always seemed real close but not quite. Did you document??
IIRC, I posted the info to the redhat list (that was a RHEL shop). I can look around in my old email, when I get home (delete email? nooooo....) <snip>
Thanks for any pointers.
I will look to see what I have.
mark
On Wed, 2009-11-04 at 15:26 -0500, Rob Kampen wrote:
m.roth@5-cent.us wrote:
OK, google comes up with what looks like some easy HOWTOs for LDAP
I'll dig in and come back with questions as required
Don't believe it.
The fall of '06, my manager and the other admin and I were discussing what to use for single sign-on. NIS has way too many holes, and no one was wild about NIS+, so, though none of us had dealt with it before, I though LDAP was the wave o' the future, and offered to implement it. A month or so later, and *lots* of grief and hair tearing (and I ain't got none to spare), I got it in. openLDAP's docs were *way* insufficient, and the tools that come with it are *not* ready for prime time, and user-surly, to say the least.
Mark, I too have experienced this PAIN!!! However I never quite got it done, always seemed real close but not quite. Did you document?? I am now trying the RH / Fedora DS - no problem getting it installed but configuration........ Any pointers to docs that actually work. I have purchased books, read magazines and spent probably 100+ hours only to run out of time and energy. It remains on my 'to do' list. Thanks for any pointers. Rob
---- skill sets and knowledge for LDAP does not work like most other software and people who jump around from walk-through to walk-through will just give up frustrated because every walk-through has different objectives and assumptions. There is no single way to do anything on LDAP and there are a variety of LDAP server options and implementation for things like user authentication are very tricky.
The easy solution is what people don't want to hear...learn LDAP. Once you get the core concepts down, it becomes easy to start wiring in various things like user authentication either as system users or things like http, or even implementing in your smtp server, etc.
Gerald Carter's book 'LDAP System Administration' is the only book that I found that simplified the understanding of LDAP, how it works, how to use it, etc. This book probably takes 3-4 hours to digest, work through the examples and give you enough core knowledge to make it work for you.
At that point, using OpenLDAP or CentOS-DS or Fedora-DS is more or less a matter of implementation details and utility. None of them are better than the other for most purposes and even things like the consoles in Fedora-DS aren't going to make it any easier for you to use LDAP if you don't understand how it works. In short, there really aren't decent shortcuts to using LDAP if you don't care to actually understand how and why it works.
Craig
Craig White wrote:
At that point, using OpenLDAP or CentOS-DS or Fedora-DS is more or less a matter of implementation details and utility. None of them are better than the other for most purposes and even things like the consoles in Fedora-DS aren't going to make it any easier for you to use LDAP if you don't understand how it works. In short, there really aren't decent shortcuts to using LDAP if you don't care to actually understand how and why it works.
I think the standards bodies have failed us badly on this front. People don't want to understand LDAP any more than they want to understand the bits in a TCP packet header. They just want systems to interoperate.
Craig White wrote:
At that point, using OpenLDAP or CentOS-DS or Fedora-DS is more or less a matter of implementation details and utility. None of them are better than the other for most purposes and even things like the consoles in Fedora-DS aren't going to make it any easier for you to use LDAP if you don't understand how it works. In short, there really aren't decent shortcuts to using LDAP if you don't care to actually understand how and why it works.
I think the standards bodies have failed us badly on this front. People don't want to understand LDAP any more than they want to understand the bits in a TCP packet header. They just want systems to interoperate.
I agree, here. When I'm at work, and tasked with installing something that's new to me, or to all of us, I don't want to have to read a whole book; that's for after it's installed, and so I can tweak it. I expect, if it's released, and esp. if it's > version 1.0.0, to be able to simply install the rpm or tarfile; at most, ./configure, make, make install, and to find tools that will work in a manner that I'd expect from std. *Nix practice.
Even Spacewalk - and ya'll know how I feel about *that* - during the install, asks questions, so it can configure (at least partly) itself.
mark
On Wed, 2009-11-04 at 15:25 -0600, Les Mikesell wrote:
Craig White wrote:
At that point, using OpenLDAP or CentOS-DS or Fedora-DS is more or less a matter of implementation details and utility. None of them are better than the other for most purposes and even things like the consoles in Fedora-DS aren't going to make it any easier for you to use LDAP if you don't understand how it works. In short, there really aren't decent shortcuts to using LDAP if you don't care to actually understand how and why it works.
I think the standards bodies have failed us badly on this front. People don't want to understand LDAP any more than they want to understand the bits in a TCP packet header. They just want systems to interoperate.
---- I suppose I don't understand what you are saying. Are you saying that some of the LDAP servers are not compliant with RFC's for LDAP? Which ones? how?
As for people not wanting to understand LDAP, that's their choice and I wish them luck. If you want a pre-configured LDAP that's always the same for every installation, check out Active Directory. It doesn't get any easier to implement LDAP on Active Directory if you don't understand it.
Craig
On Wed, Nov 4, 2009 at 4:44 PM, Craig White craigwhite@azapple.com wrote:
On Wed, 2009-11-04 at 15:25 -0600, Les Mikesell wrote:
Craig White wrote:
At that point, using OpenLDAP or CentOS-DS or Fedora-DS is more or less a matter of implementation details and utility. None of them are better than the other for most purposes and even things like the consoles in Fedora-DS aren't going to make it any easier for you to use LDAP if you don't understand how it works. In short, there really aren't decent shortcuts to using LDAP if you don't care to actually understand how and why it works.
I think the standards bodies have failed us badly on this front. People don't want to understand LDAP any more than they want to understand the bits in a TCP packet header. They just want systems to interoperate.
I suppose I don't understand what you are saying. Are you saying that some of the LDAP servers are not compliant with RFC's for LDAP? Which ones? how?
As for people not wanting to understand LDAP, that's their choice and I wish them luck. If you want a pre-configured LDAP that's always the same for every installation, check out Active Directory. It doesn't get any easier to implement LDAP on Active Directory if you don't understand it.
Craig
In my extremely limited experience with LDAP, it seem that the problem is not "LDAP" itself, but how to structure it. Most howtos walk you through installing whatever software, and then say "OK, now you have LDAP!"
The problem is that LDAP is useless without a structure and data inside of it. You are usually left with a blank canvas after the install is complete. It's a very daunting task to start sticking things in there without any guidance on the best way to structure it, especially since this is supposed you be the be-all end-all directory of everything and anything you do wrong now you need to live with for your entire life.
One argument is that everyone has different requirements, but there's got to be some kind of reasonable default that could be used for setting up something like distributed password auth. As you mention, Active Directory does this, and maybe a structure like that is a reasonable default to recommend/include for people who don't need to fully architect a directory structure for a global company.
In my extremely limited experience with LDAP, it seem that the problem is not "LDAP" itself, but how to structure it. Most howtos walk you through installing whatever software, and then say "OK, now you have LDAP!"
Agreed.
The problem is that LDAP is useless without a structure and data inside of it. You are usually left with a blank canvas after the install is complete. It's a very daunting task to start sticking things in there without any guidance on the best way to structure it, especially since this is supposed you be the be-all end-all directory of everything and anything you do wrong now you need to live with for your entire life.
Yes, this is a problem if you have a very large organization with LDAP needs that go beyond the simple authentication and phone/email stores. My needs are relatively minor though. I need central authentication for anywhere from 10 to 100 servers and the ability to control logins and monitor logins from one location. Using RedHat/FedoraDS in close to the default configuration works wonderfully for these environments.
One argument is that everyone has different requirements, but there's got to be some kind of reasonable default that could be used for setting up something like distributed password auth. As you mention, Active Directory does this, and maybe a structure like that is a reasonable default to recommend/include for people who don't need to fully architect a directory structure for a global company.
Please do take a look at the RedHat DS offering (now the 389 project). It's *extremely* simple to configure as an authentication server with replication. You can configure the server/replication in under an hour.
On Wed, 2009-11-04 at 17:01 -0500, Brian Mathis wrote:
In my extremely limited experience with LDAP, it seem that the problem is not "LDAP" itself, but how to structure it. Most howtos walk you through installing whatever software, and then say "OK, now you have LDAP!"
The problem is that LDAP is useless without a structure and data inside of it. You are usually left with a blank canvas after the install is complete. It's a very daunting task to start sticking things in there without any guidance on the best way to structure it, especially since this is supposed you be the be-all end-all directory of everything and anything you do wrong now you need to live with for your entire life.
One argument is that everyone has different requirements, but there's got to be some kind of reasonable default that could be used for setting up something like distributed password auth. As you mention, Active Directory does this, and maybe a structure like that is a reasonable default to recommend/include for people who don't need to fully architect a directory structure for a global company.
---- The structure is simple if you understand LDAP and horrifically confusing if you don't understand LDAP.
If you use CentOS-DS or Fedora-DS, they are opinionated enough upon initial setup to give you a predefined structure so I am not sure where the problem lies except that you still don't understand LDAP so it is of little use.
From it's conception, LDAP was not designed to do user authentication.
It happens to work and it can work well and each office/network has its own requirements. I myself have done things differently most times I have set it up for a company...no big deal except that I had to learn how it worked. It's amazing the amount of justification that people can come up with for not learning how technology works.
Craig
On Wed, Nov 4, 2009 at 5:16 PM, Craig White craigwhite@azapple.com wrote:
On Wed, 2009-11-04 at 17:01 -0500, Brian Mathis wrote:
In my extremely limited experience with LDAP, it seem that the problem is not "LDAP" itself, but how to structure it. Most howtos walk you through installing whatever software, and then say "OK, now you have LDAP!"
The problem is that LDAP is useless without a structure and data inside of it. You are usually left with a blank canvas after the install is complete. It's a very daunting task to start sticking things in there without any guidance on the best way to structure it, especially since this is supposed you be the be-all end-all directory of everything and anything you do wrong now you need to live with for your entire life.
One argument is that everyone has different requirements, but there's got to be some kind of reasonable default that could be used for setting up something like distributed password auth. As you mention, Active Directory does this, and maybe a structure like that is a reasonable default to recommend/include for people who don't need to fully architect a directory structure for a global company.
The structure is simple if you understand LDAP and horrifically confusing if you don't understand LDAP.
If you use CentOS-DS or Fedora-DS, they are opinionated enough upon initial setup to give you a predefined structure so I am not sure where the problem lies except that you still don't understand LDAP so it is of little use.
From it's conception, LDAP was not designed to do user authentication.
It happens to work and it can work well and each office/network has its own requirements. I myself have done things differently most times I have set it up for a company...no big deal except that I had to learn how it worked. It's amazing the amount of justification that people can come up with for not learning how technology works.
Craig
You're getting dangerously close to saying "Everything you need to know is in the source code", or more succinctly, "RTFM an piss off". No one is saying that people shouldn't understand how LDAP works, but there's a world of difference between understanding how to install LDAP or make a query, and understanding the implications of everything you can do with it.
Understanding LDAP has absolutely nothing to do with how to USE LDAP. Knowing how to USE it is a people/organization problem, not a technical one. You need to adjust your focus to a higher level discussion than what you are having. This is not about the implementation details, it's about the higher-level structure.
Additionally, the fact that you have had to do things in multiple different ways in different offices only proves the point here. Does every application really need a completely custom structure? It might be nice for the billable hours, but my guess is that most of those offices could probably fit within a common schema, or at least a common schema used as a starting point for customization.
P.S. If LDAP was never designed to do user auth, it doesn't matter. Pretty much everyone uses it that way, so get over it.
On Wed, 2009-11-04 at 18:24 -0500, Brian Mathis wrote:
You're getting dangerously close to saying "Everything you need to know is in the source code", or more succinctly, "RTFM an piss off". No one is saying that people shouldn't understand how LDAP works, but there's a world of difference between understanding how to install LDAP or make a query, and understanding the implications of everything you can do with it.
Understanding LDAP has absolutely nothing to do with how to USE LDAP. Knowing how to USE it is a people/organization problem, not a technical one. You need to adjust your focus to a higher level discussion than what you are having. This is not about the implementation details, it's about the higher-level structure.
Additionally, the fact that you have had to do things in multiple different ways in different offices only proves the point here. Does every application really need a completely custom structure? It might be nice for the billable hours, but my guess is that most of those offices could probably fit within a common schema, or at least a common schema used as a starting point for customization.
P.S. If LDAP was never designed to do user auth, it doesn't matter. Pretty much everyone uses it that way, so get over it.
---- I'm not having any problem with LDAP - it works for me. I have nothing to get over.
Fedora-DS and CentOS-DS are configured by default to use a particular setup for Users and Groups. I have used both OpenLDAP and Fedora-DS and they both work fine. If you think that OpenLDAP suffers from a particular lack of 'higher level structure', then you should probably address the authors of the software (good luck).
Kwan Lowe says you can install RedHat-DS (and by inference CentOS-DS) and configure server and replication in under an hour...what's everyone griping about?
Craig
Craig White wrote:
At that point, using OpenLDAP or CentOS-DS or Fedora-DS is more or less a matter of implementation details and utility. None of them are better than the other for most purposes and even things like the consoles in Fedora-DS aren't going to make it any easier for you to use LDAP if you don't understand how it works. In short, there really aren't decent shortcuts to using LDAP if you don't care to actually understand how and why it works.
I think the standards bodies have failed us badly on this front. People don't want to understand LDAP any more than they want to understand the bits in a TCP packet header. They just want systems to interoperate.
I suppose I don't understand what you are saying. Are you saying that some of the LDAP servers are not compliant with RFC's for LDAP? Which ones? how?
No, I'm saying that there should have been standardized schemas eons ago for the things that everyone needs to store and all implementations should interoperate at that level.
As for people not wanting to understand LDAP, that's their choice and I wish them luck. If you want a pre-configured LDAP that's always the same for every installation, check out Active Directory. It doesn't get any easier to implement LDAP on Active Directory if you don't understand it.
Can you ship something pre-configured to work with Active Directory? Why should more than one person have to 'implement' it? If it works in one place, won't the same implementation work elsewhere?
On Wed, 2009-11-04 at 16:15 -0600, Les Mikesell wrote:
Craig White wrote:
At that point, using OpenLDAP or CentOS-DS or Fedora-DS is more or less a matter of implementation details and utility. None of them are better than the other for most purposes and even things like the consoles in Fedora-DS aren't going to make it any easier for you to use LDAP if you don't understand how it works. In short, there really aren't decent shortcuts to using LDAP if you don't care to actually understand how and why it works.
I think the standards bodies have failed us badly on this front. People don't want to understand LDAP any more than they want to understand the bits in a TCP packet header. They just want systems to interoperate.
I suppose I don't understand what you are saying. Are you saying that some of the LDAP servers are not compliant with RFC's for LDAP? Which ones? how?
No, I'm saying that there should have been standardized schemas eons ago for the things that everyone needs to store and all implementations should interoperate at that level.
---- Why? Because Les says so?
LDAP is not one configuration fits all...everyone has their way of doing things from SunDS to Fedora-DS to SuSE/eDirectory to Microsoft. Deal with it.
Your argument ignores the fact that LDAP exists not to provide authentication but to provide directory services. It is entirely possible if not logical to use LDAP and not provide user authentication. ----
As for people not wanting to understand LDAP, that's their choice and I wish them luck. If you want a pre-configured LDAP that's always the same for every installation, check out Active Directory. It doesn't get any easier to implement LDAP on Active Directory if you don't understand it.
Can you ship something pre-configured to work with Active Directory? Why should more than one person have to 'implement' it? If it works in one place, won't the same implementation work elsewhere?
---- system-config-authentication - that's a tool you can use to configure any computer to use AD or LDAP or whatever authentication service you choose. Macintosh has a similar tool for configuration.
It's only a problem for people that don't want to understand LDAP. Always the same arguments from the same people that want to use LDAP and never understand anything about it.
Craig
Craig White wrote:
I suppose I don't understand what you are saying. Are you saying that some of the LDAP servers are not compliant with RFC's for LDAP? Which ones? how?
No, I'm saying that there should have been standardized schemas eons ago for the things that everyone needs to store and all implementations should interoperate at that level.
Why? Because Les says so?
Well, if you prefer to wait for Microsoft to dictate a standard...
LDAP is not one configuration fits all...everyone has their way of doing things from SunDS to Fedora-DS to SuSE/eDirectory to Microsoft. Deal with it.
Sure, vendor lock-in exists. But that's why we need standards. It isn't any better for people to make up different stuff in LDAP schemas than it is HTML tags.
Your argument ignores the fact that LDAP exists not to provide authentication but to provide directory services. It is entirely possible if not logical to use LDAP and not provide user authentication.
Sure, and you can make up new stuff in HTML if your goal is to prevent interoperability. And that's been done too.
As for people not wanting to understand LDAP, that's their choice and I wish them luck. If you want a pre-configured LDAP that's always the same for every installation, check out Active Directory. It doesn't get any easier to implement LDAP on Active Directory if you don't understand it.
Can you ship something pre-configured to work with Active Directory? Why should more than one person have to 'implement' it? If it works in one place, won't the same implementation work elsewhere?
system-config-authentication - that's a tool you can use to configure any computer to use AD or LDAP or whatever authentication service you choose. Macintosh has a similar tool for configuration.
I don't want 'whatever' service, I want an interoperable service. If I say LDAP there, where's the matching server?
It's only a problem for people that don't want to understand LDAP. Always the same arguments from the same people that want to use LDAP and never understand anything about it.
If you have to understand it, then it isn't ready to use. XML has the same problem if you want to use it for anything. That's why people use HTML where a standards body took something from being a toolbox with potential and made it useful. I can use HTML between two more or less arbitrary client and programs and have mostly predictable results. Why can't that be the case for LDAP?
Craig White wrote:
On Wed, 2009-11-04 at 15:26 -0500, Rob Kampen wrote:
m.roth@5-cent.us wrote:
OK, google comes up with what looks like some easy HOWTOs for LDAP
I'll dig in and come back with questions as required
Don't believe it.
The fall of '06, my manager and the other admin and I were discussing what to use for single sign-on. NIS has way too many holes, and no one was wild about NIS+, so, though none of us had dealt with it before, I though LDAP was the wave o' the future, and offered to implement it. A month or so later, and *lots* of grief and hair tearing (and I ain't got none to spare), I got it in. openLDAP's docs were *way* insufficient, and the tools that come with it are *not* ready for prime time, and user-surly, to say the least.
Mark, I too have experienced this PAIN!!! However I never quite got it done, always seemed real close but not quite. Did you document?? I am now trying the RH / Fedora DS - no problem getting it installed but configuration........ Any pointers to docs that actually work. I have purchased books, read magazines and spent probably 100+ hours only to run out of time and energy. It remains on my 'to do' list. Thanks for any pointers. Rob
skill sets and knowledge for LDAP does not work like most other software and people who jump around from walk-through to walk-through will just give up frustrated because every walk-through has different objectives and assumptions. There is no single way to do anything on LDAP and there are a variety of LDAP server options and implementation for things like user authentication are very tricky.
The easy solution is what people don't want to hear...learn LDAP. Once you get the core concepts down, it becomes easy to start wiring in various things like user authentication either as system users or things like http, or even implementing in your smtp server, etc.
Gerald Carter's book 'LDAP System Administration' is the only book that I found that simplified the understanding of LDAP, how it works, how to use it, etc. This book probably takes 3-4 hours to digest, work through the examples and give you enough core knowledge to make it work for you.
At that point, using OpenLDAP or CentOS-DS or Fedora-DS is more or less a matter of implementation details and utility. None of them are better than the other for most purposes and even things like the consoles in Fedora-DS aren't going to make it any easier for you to use LDAP if you don't understand how it works. In short, there really aren't decent shortcuts to using LDAP if you don't care to actually understand how and why it works.
Craig
Hi Craig, I've got this book, read it twice and believe I understand the LDAP workings - that is the easy bit. In a previous life I used LDAP as an authentication server for some purpose built Perl and Java client stuff, so I have had some success there. Where it gets impossible is sorting out schemas - which to use where, then how to get them loaded - both as schemas and with data. Then there is the headache of getting it to play nice with PAM, samba, Thunderbird address book etc. My requirements are these:-/ Single source for allowable users / passwords for authentication and then from this determine authoritization Single location of all my address and contact information, email addresses, telephone numbers so that any LDAP capable client can get access. That should do for starters. What I've found with all the examples is they work great except one or two steps that just don't and inevitably the show grinds to a halt. One day soon I'll start afresh and see if I can get it cracked, and yes - I'll do a HowTo - most of those via google are too old. Thanks for your thoughts all. Rob This is where things go from bad to down right ugly.
On Wed, Nov 04, 2009 at 02:02:37PM -0700, Craig White wrote:
Gerald Carter's book 'LDAP System Administration' is the only book that I found that simplified the understanding of LDAP, how it works, how to use it, etc. This book probably takes 3-4 hours to digest, work through the examples and give you enough core knowledge to make it work for you.
I second the recommendation for this book. It's one of the few resources that, in addition to the above, talks about LDAP as part of an integrated solution, not just a standalone directory service.
--keith
However I never quite got it done, always seemed real close but not quite. Did you document?? I am now trying the RH / Fedora DS - no problem getting it installed but configuration........ Any pointers to docs that actually work. I have purchased books, read magazines and spent probably 100+ hours only to run out of time and energy. It remains on my 'to do' list. Thanks for any pointers.
I've installed Fedora/RedHat DS a bunch of times. The basic configuration is quite painless. These are the docs I use:
https://sites.google.com/site/disciplinux/linux/centralized-authentication
Those worked as of CentOS 5.3, which was the last time I did it from scratch.
For the OP, it might not be exactly sufficient since there was a requirement for minute by minute login allow/disallow, but I would not want to administer more than a handful of nodes without LDAP.
Rob Kampen wrote:
m.roth@5-cent.us wrote:
OK, google comes up with what looks like some easy HOWTOs for LDAP
I'll dig in and come back with questions as required
Don't believe it.
<snip>
spare), I got it in. openLDAP's docs were *way* insufficient, and the tools that come with it are *not* ready for prime time, and user-surly, to say the least.
It works, though.
Mark, I too have experienced this PAIN!!! However I never quite got it done, always seemed real close but not quite. Did you document?? I am now trying the RH / Fedora DS - no problem getting it installed but configuration........ Any pointers to docs that actually work. I have purchased books, read magazines and spent probably 100+ hours only to run out of time and energy. It remains on my 'to do' list. Thanks for any pointers. Rob
I can't find any post about it. I do know that I was using both command line tools - I finally wrote a one-line script to use with ldapadd, it was such a pain - and I also used webmin, with did integrate well, and I could use it to test whether LDAP was working and configured correctly.
Sorry I don't have more.
mark
I too have experienced this PAIN!!! However I never quite got it done, always seemed real close but not quite. Did you document??
This is sadly a pretty major area where open source falls down way, way too often. I'd far sooner go with the 2nd best solution that has really good documentation, than the best solution with terrible docs. Heck, I'd even go for the 3rd or 4th best if all the ones above it had terrible docs.
The only thing that can make up for terrible docs is a good support list.
And yes, I document everything very well! My motto is "If you aren't spending 5% to 10% of your time documenting what you do, then neither you nor your manager are doing their job"
On Wed, Nov 4, 2009 at 8:54 PM, Alan McKay alan.mckay@gmail.com wrote: [snip]
And yes, I document everything very well! My motto is "If you aren't spending 5% to 10% of your time documenting what you do, then neither you nor your manager are doing their job"
These are words to live and die by :D
I also agree that good documentation is extremely valuable; however, I would go one further and say that when building a system, good documentation is only part of the battle.
I hate to inject any PHBisms on this hallowed list, but I think one aspect of Six Sigma methodology is actually germaine to CentOS/RedHat. In particular, kickstart installation helps to reduce and even eliminate variation in the server buildout process.
The problem with relying on documentation, even great documentation, is that it puts the responsibility on the admin to follow. Now we all know of the bad admins that can't follow directions, but in my experience, the culprit is often the good admin who knows another way to do something or has done it so often that he/she skips a critical but simple step or just is so busy that things get missed. So given a choice between great documentation and a good kickstart file, I'd generally prefer the kickstart. In fact, given 100 builds, I would prefer if they are all wrong in the identical way than have a perfect build document that builds a perfect server but varies from instance to instance.
On Wed, Nov 4, 2009 at 9:07 PM, Kwan Lowe kwan.lowe@gmail.com wrote: [...]
The problem with relying on documentation, even great documentation, is that it puts the responsibility on the admin to follow. Now we all know of the bad admins that can't follow directions, but in my experience, the culprit is often the good admin who knows another way to do something or has done it so often that he/she skips a critical but simple step or just is so busy that things get missed. So given a choice between great documentation and a good kickstart file, I'd generally prefer the kickstart. In fact, given 100 builds, I would prefer if they are all wrong in the identical way than have a perfect build document that builds a perfect server but varies from instance to instance.
In my experience it's the admins who think they are so good that they don't follow (or write) documents at all. Those are the ones who get in more trouble. The ones who have and follow documentation get a much higher success rate.
Most of the time it's a choice between docs or no docs. Once you have them, getting someone to follow them is the easier job. (However, there is great variation in quality of documentation, and that can lead to the problem you describe, such as when the process is defined in loose terms instead of exact keystrokes)
Once you have the docs, then you can build the kickstart file. They get you 80% of the way there.
m.roth@5-cent.us wrote:
OK, google comes up with what looks like some easy HOWTOs for LDAP
I'll dig in and come back with questions as required
Don't believe it.
The fall of '06, my manager and the other admin and I were discussing what to use for single sign-on. NIS has way too many holes, and no one was wild about NIS+, so, though none of us had dealt with it before, I though LDAP was the wave o' the future, and offered to implement it. A month or so later, and *lots* of grief and hair tearing (and I ain't got none to spare), I got it in. openLDAP's docs were *way* insufficient, and the tools that come with it are *not* ready for prime time, and user-surly, to say the least.
It works, though.
Is the recently packaged IPA server a better starting point?
http://lists.centos.org/pipermail/centos/2009-October/083023.html
m.roth@5-cent.us wrote:
OK, google comes up with what looks like some easy HOWTOs for LDAP
I'll dig in and come back with questions as required
Don't believe it.
The fall of '06, my manager and the other admin and I were discussing what to use for single sign-on. NIS has way too many holes, and no one was wild about NIS+, so, though none of us had dealt with it before, I though LDAP was the wave o' the future, and offered to implement it. A month
or so
later, and *lots* of grief and hair tearing (and I ain't got none to spare), I got it in. openLDAP's docs were *way* insufficient, and the tools that come with it are *not* ready for prime time, and user-surly, to say the least.
It works, though.
Is the recently packaged IPA server a better starting point?
http://lists.centos.org/pipermail/centos/2009-October/083023.html
Don't know - I rolled off that job over a year ago, and haven't had to set it up since. The last thing I did, a few months before leaving, was to upgrade from 2.2 to 2.3, to add policy, for password aging and so that users could change their own password.
mark
m.roth@5-cent.us wrote:
Don't believe it.
I concur!
spare), I got it in. openLDAP's docs were *way* insufficient, and the tools that come with it are *not* ready for prime time, and user-surly, to say the least.
Imagine what it was like even earlier, I vaguely recall the days/nights back in ~2001 I think it was setting up LDAP to do authentication, mail routing, and I used samba-tng as well.. even wrote a HOWTO that I haven't really touched since 2003.
http://howto.aphroland.org/HOWTO/LDAP
Ever since I have actively worked to get LDAP out of my systems. Don't need single sign on, don't care. Haven't used that particular piece of wiki software either since, the data is trapped in a zope database.
The previous admin at my current company deployed LDAP, fairly poorly implemented. So I've been working to remove it as a requirement slowly but surely, only a couple dozen systems left that rely on it, authentication reliability has gone way up since we stopped relying on it. I'm sure a robust LDAP infrastructure can be built, but for our needs at least it is way overkill and makes my brain hurt, rather do more fun things. I suppose you could say I have the LDAP 1000-yard stare.
nate
m.roth@5-cent.us wrote:
Don't believe it.
I concur!
spare), I got it in. openLDAP's docs were *way* insufficient, and the tools that come with it are *not* ready for prime time, and user-surly, to say the least.
Imagine what it was like even earlier, I vaguely recall the days/nights back in ~2001 I think it was setting up LDAP to do authentication, mail routing, and I used samba-tng as well.. even wrote a HOWTO that I haven't really touched since 2003.
<snip> Y'know, there's a vague memory in my head, that I may have come across that HOWTO, with all the googling I did, and it helped. If so, THANKS!
mark
Ever since I have actively worked to get LDAP out of my systems. Don't need single sign on, don't care. Haven't used that particular piece of wiki software either since, the data is trapped in a zope database.
OK, I definitely do NOT need single-sign-on, if if it would be cool.
I just need centralised account and password managment, which is not at all the same thing
Alan McKay wrote:
Ever since I have actively worked to get LDAP out of my systems. Don't need single sign on, don't care. Haven't used that particular piece of wiki software either since, the data is trapped in a zope database.
OK, I definitely do NOT need single-sign-on, if if it would be cool.
I just need centralised account and password managment, which is not at all the same thing
Yep, LDAP will do that - that's what I installed it for.
mark
Alan McKay wrote:
Hey folks,
What is the best way to manage users across multiple CentOS boxes?
Ideally what I'd like to be able to do is have central control over who has access to which box from a minute-to-minute basis. e.g. User X needs access to Box A for 30 minutes - clickity, clickity and they have access for that long after which their access is automatically turned off.
thanks, -Alan
Has anyone tried GOSA?
On Thu, 2009-11-05 at 11:58 +0800, Christopher Chan wrote:
Alan McKay wrote:
Hey folks,
What is the best way to manage users across multiple CentOS boxes?
Ideally what I'd like to be able to do is have central control over who has access to which box from a minute-to-minute basis. e.g. User X needs access to Box A for 30 minutes - clickity, clickity and they have access for that long after which their access is automatically turned off.
thanks, -Alan
Has anyone tried GOSA?
---- actually yes, just the other day.
It's highly opinionated and not for half-hearted attempts. It probably is a good project but goes way beyond what I was looking for so I gave up.
It requires PHP 5.2 or higher so I ended up installing the php packages from dev.centos.org so I could make it work.
I'm sort of happy with Webmin's LDAP User and Groups and I look at other LDAP user/group management software with interest. I will just say GOsa is not for me but probably is a useful software package for some.
My problem is not really User and Group management but rather trying to find a 'user' package that can import maybe CSV files for a bulk import for Address Books. I have been using Horde/Turba (www.horde.org) for this but it's not easy for casual users so I end up having to do that for users/companies. After that, Turba is good enough for them to maintain address book entries because the typical Address Book client (Thunderbird, Outlook, Apple Address Book, etc.) is read only and cannot be used to maintain an LDAP Address Book. Strangely enough, the only useful address book client application that I have found that is reasonably useful for this is KAddressBook (KABC).
Craig
On Thu, 5 Nov 2009, Christopher Chan wrote:
Has anyone tried GOSA?
I have a local packaging, but it is invasive in that it wants a later php version. One also ends up writing connectors for LDIF's for the Red Hat derived way of admining. Good stuff, though.
-- Russ herrold
-
Alan McKay -
Brian Mathis -
Christopher Chan -
Craig White -
Karanbir Singh -
Keith Keller -
Kwan Lowe -
Les Mikesell -
m.roth@5-cent.us -
mark
-
nate -
R P Herrold -
Rob Kampen