[Infrastructures] user management (mixing afs,ldap,kerberos)

Sean Kelly smkelly@rooster.creighton.edu
Thu, 10 Mar 2005 05:28:10 -0600 

On Thu, Mar 10, 2005 at 01:19:48AM -0800, Steve Traugott wrote:
> This is sort of a followup to another thread we just had, and to
> something Joel and I wrote in the 1998 "bootstrapping" paper...  At that
> time, "Coda looked promising".  I no longer think so, and haven't for a
> long time, since the Coda maintainers haven't decided to make it a truly
> production-quality filesystem.  So that leaves us with AFS, but since
> OpenAFS arrived things have changed -- it's evolving finally, and has
> already gotten rid of silly features like the 2G size limit.  That alone
> was enough to convince me to have another go at it.

I've looked at Coda in the past as well, but as you say it appears to be
dead in the water mostly. AFS looks very promising, and several
organizations seem to be using it. I plan to eventually get around to
querying them about advice they may have in regard to it and see if I get a
decent answer.

...
> I am looking for reading material in this area, so if you have anything to
> suggest please let me know. I recently got a book titled:
>      Managing AFS by Richard Campbell
...

I also have _Kerberos: The Definitive Guide_ by Jason Garman on order. It
seems to have gotten decent reviews and was covered in a recent Slashdot
book review article (thus delaying my Amazon order).

...
> > However, I'm in the market for a book that shows how to combine
> > LDAP/NIS/Hesiod, Krb5, and AFS seamlessly.
> 
> I'm using krb5 and openldap.  I found what I needed to know by saying
> something like "openafs kerberos ldap howto" to Google.  It turned out
> to be not as painful as I thought.  You just need to script user
> creation/deletion to keep the two synced -- but you're going to want to
> script that anyway, since you're going to want to also manage home
> directory volumes in that same script.  

My biggest stumbling block is determining the best way to integrate this
all into an existing Microsoft Active Directory framework. The University
has a deployed Microsoft AD, and so it would be silly to not use it. I've
managed to get some LDAP and Krb5 going against it, but my experimentation is
just beginning on that front. I believe it might boil down to adding
Services for Unix to it to extend the schema.

Has anybody got any experience in this area? Can you replicate AD into an
OpenLDAP, or do you just work directly against AD? Do you put your system
users (http, oracle, etc) in AD or have some sort of hierarchy approach
where AD feeds OpenLDAP and only OpenLDAP knows about those things?

Insight on this would be great.

> Another possibility might be the Heimdal Kerberos server, since it can
> use LDAP as its backend, I think.  I forget what turned me away from
> that though.

FreeBSD uses Heimdal by default. It supports AFS tokens and LDAP. I've not
worked with MIT's Kerberos implementation.

-- 
Sean M. Kelly
Assistant Unix Administrator/Programmer
Division of Information Technology
Creighton University
(402) 280-2264