[Infrastructures] user management (mixing afs,ldap,kerberos)

[Jose Gonzalez Gomez]

On Thu, 10 Mar 2005 01:19:48 -0800, Steve Traugott
<stevegt@terraluna.org> wrote:
> On Wed, Mar 09, 2005 at 11:06:43AM -0600, Sean Kelly wrote:
> > On Wed, Mar 09, 2005 at 01:22:49PM +0100, Rudy Gevaert wrote:
> > > A better option is AFS.  And I'm now trying to get that to work.  But
> > > for AFS you need Kerberos.  And if I'm correct you still need
> > > something like NIS or LDAP (let us use LDAP).  How can you now easily
> > > manage Kerberos and LDAP?  For each LDAP user you need a Kerberos
> > > principal, right?
> >
> 
> I'm using krb5 and openldap.  I found what I needed to know by saying
> something like "openafs kerberos ldap howto" to Google.  It turned out
> to be not as painful as I thought.  You just need to script user
> creation/deletion to keep the two synced -- but you're going to want to
> script that anyway, since you're going to want to also manage home
> directory volumes in that same script.
> 
> Another possibility might be the Heimdal Kerberos server, since it can
> use LDAP as its backend, I think.  I forget what turned me away from
> that though.

I'm using the Heimdal/OpenLDAP combination, and they work great. With
Heimdal you may have all your Kerberos information stored in the LDAP
directory, so you don't have that user synchronization nightmare. Just
add LDAP to the nss configuration, and you may have a centralized
authentication and authorization server with all the information
stored in a single place.

Best regards
Jose