[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication/Authorization Recommendations



With all due respect, if I were running an otherwise all-Windows shop, and wanted a directory-based AuthN/AuthZ environment, I'd just use Active Directory. I mean why add management of Linux and Samba and OpenLDAP and all that stuff on top of the Windows admin workload, and have to deal with all the minor (and sometime not-so-minor) issues you'll have trying to make that work with MS. And if it doesn't work you'll get no help from Microsoft.

Don't get me wrong, I like open source software and all, and if you want to provide an LDAP directory service in a heterogeneous environment, then what you're describing makes a lot more sense to me, but it does not sound like that is what you're dealing with.

Also I'd get rid of the Win98.

Just my $0.02.

Allan

On Thursday, October 23, 2003, at 08:38 AM, Jason.McGlamary@Medstar.net wrote:





Hello All,
First, I want to say that I understand I am probably asking for a lot
in this message, so I apologize if it irritates anyone. However, I'd
really appreciate anyone who is willing to bear with me and offer some
advice on the type of OpenLDAP configuration that would best suit my needs.
I've read through all the list posts for the past several months, have
checked the archives and the documentation. I've been experimenting with
the application with mostly successful results. The part that still evades
me is determining the best authentication and authorization mechanisms to
use for my project. With that in mind, the following are details on my
project.


I have 2 file and DB servers installed with RH9 (1 is to provide
redundancy). I do not want to trust the company NT PDC for authentication
to my servers, and would rather handle all authentication/authorization for
our servers myself (mainly limited to a single division of the company).
The environment for the whole house is Windows based (mostly Win98), so
I'll need to be running Samba for the file sharing aspect. Security from
the outside world will be provided by the company firewall, but I believe
I'd still prefer to secure all communications (no plaintext; passwords or
otherwise). I want OpenLDAP to provide authentication to my servers as
well as manage groups for authorization to shares. I'd like users to be
able to manage their own passwords (securely), and all authorization
handled by LDAP.


In short, my basic need is to determine how to best configure
openldap for best security while maintaining easy account management for my
users. I do not really want to make my own PDC though as most docs dealing
w/ Openldap and Samba together seem to lean towards. The main area that's
been boggling me thus far is the function of SASL, and how to choose a
mechanism to use.


Looking back at this message, it seems to me there is probably a lot
of area for confusion in my request. If anyone out there is willing to
offer me a clue, I'd be more than happy to expand further as much as you
require. Thanks for the patience. LDAP very newbie.


Hoping for a clue,
Jason McGlamary

Application Specialist
Division of Nursing - Nursing Informatics
Co-Chair WHC/NRH/IS Focus Forum
Washington Hospital Center
email: Jason.McGlamary@Medstar.net