www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: ASF LDAP Project - Update
Date Fri, 09 Jan 2009 22:11:37 GMT
Tony Stevenson wrote:

> In the mean time I am going to try (time and free cycles permitting) try 
> and discover some good working configurations for httpd/svn and shell 
> access.

The httpd/svn is a pretty straightforward installation of 
mod_authnz_ldap, I can put together a config for you once we are more 
certain as to the connection parameters (SSL? TLS? etc).

The tricky part in my experience is the shell access.

Configured correctly, shell access is pretty straightforward - you 
configure pam and nss to do lookups against LDAP, and if not found, 
against files.

In practice however, it is surprisingly easy to accidentally configure 
pam and nss incorrectly against LDAP, and in turn with an incorrect 
fallback as well. The impact when this happens is that you are locked 
out of your root account - and if you're on a physical server instead of 
a virtual server, that could mean a drive of shame to the datacentre.

To insure against such problems while trying it out, I would suggest 
that you first set up ssh to allow you in directly as root via public 
key SSH, so that you have a way into root without a password (which 
could potentially be broken) or a normal user + su (which could also 
potentially be broken). Then, as a second measure, try it out on a 
virtual server that can be externally kicked if it goes completely pear 
shaped.

Once you get it to work, test your config thoroughly to make sure your 
fallback works properly: kill the LDAP server, and ensure you can still 
get to the root account, or an /etc/passwd based system account, despite 
the LDAP server being off the air.

In my experience, once you have configured it correctly, you can forget 
about the config, it "just works". I have such an LDAP backed system 
that has given no trouble for the good five years or so since it was 
first set up, despite the initial setup being difficult.

Regards,
Graham
--

Mime
View raw message