On 22/07/16 09:45, Lars Behrens wrote:
> Am 22.07.2016 um 01:11 schrieb David Sommerseth:
>
>> Have a look at authconfig and sssd. The former should help configure
>> all these things for you, including proper PAM setup as well as LDAP and
>> Kerberos. For SSSD it is in particular helpful on laptops, where
>> authentication data can be cached locally to be capable of offline
>> authentication as well as caching enough information to automatically
>> fetch a Kerberos ticket once the network access has been established.
>
> I already had been using authconfig for sssd setup. Authentication (via
> AD/ldap) and caching works well. I only need per user mounting of their
> AD-directories and hadn't found a hint in the authconfig man page.
>
>> And SSSD do have some support for handling the autofs/automount stuff too.
>
> Ok, that seems the way to go. Through your tip I now found that there is
> an autofs/automount via "ldap_autofs_*" in sssd. Let's see if I get this
> set up.
>
>> Otherwise, do have a look at the FreeIPA stuff too. There's a lot of
>> good things in that package, which also doesn't require much resources
>> on the server side. For clients, it gets even easier. You just need to
>> install the proper IPA packages and run ipa-server-install or
>> ipa-client-install, that's mostly all you need. FreeIPA also makes use
>> of SSSD and authconfig under the hood.
>
> Yeah, looks like good thing but afaics I would have to set up a server
> for that. I think at first I have to get comfy with the basics in the
> "red hatted" world (I am coming from a debianic and SUSE background).
>
> Thank you for your hints!
As you seem to also use AD, you might be pleased to know that it is
possible to integrate AD and FreeIPA. IIRC, one of the new features in
EL7.2 was also "one way trust" in addition to the "full trust" available
in earlier versions of FreeIPA.
This means that AD users gets access to machines enrolled in IPA,
according to configured policies.
And the automount/autofs stuff is also very easily configured in IPA too.
A final note on setting up FreeIPA on SL7:
* server side
yum install ipa-server
ipa-server-install # see --help for several useful options
# wait for install script to complete
# done
Now you can log into the web admin UI by accessing the servers host name
from a browser.
* client side
yum install ipa-client
ipa-client-install
# wait for install script to complete
# done
I'll admit that I have never installed and configured IPA together with
AD, but the demos I have seen on several conferences have not been
really scary. If you setup IPA to use external DNS servers, you might
need to add a few entries there, but it might also be that the AD
integration does a lot of it for you too.
You may very well also install IPA server on an existing server, if that
would work with your sys-admin policies. The IPA server does not
require too much resources at all, neither RAM, CPU nor disk.
Setting up replica IPA servers is also not a big challenge. Setup
scripts usually works very well and the official documentation is quite
good too.
<https://access.redhat.com/articles/1586893>
<http://www.freeipa.org/page/Documentation>
--
kind regards,
David Sommerseth
|