LDAP and access control lists ( ACL )

[amasidlover]

I'm just about to start my own small business, and am starting to think about IT infrastructure. Ideally I'd like to have one method for authenticating against for logging - in, file sharing, webmail and some custom web applications. The best method looks to be LDAP.

I would also like to be able to manage access control lists (ACLs) (where users can be in multiple groups) for a couple of different things, firstly file access (through unix command line and through Samba/NFS) and also for accessing specific records in databases. The second bit I can write myself once I find software that will manage the ACL for me. I've searched google and the forums and it looks like linux can handle ACLs, but I can't find a howto or explanation of setting it up.

I've tried searching the forums and google for LDAP, ACL and Access Control List, but with no succes. I'd appreciate some suggestions..

Thanks,

Alex

[Bigbeanpole]

I know that novell uses acl's, and they're based on ldap ... you may find some documentation on their site as to how to setup linux to do this (seeing as how they're in the linux world with SuSe nowadays, I believe).

If you do find a solution, I'd be interested in hearing about it. I tried to setup ldap myself awhile back, and I failed miserably... most likely because I didn't have alot of time to play with it, and it was on a production machine (I know, silly me), but for my 3-4 users, I thought it would be neat if I could get it setup with ldap. *sigh* Not yet, I guess.

But yeah...give Novell's site a try. They may have some how-to's buried in there somewhere.

[JeroenV]

Hi,

I'm currently implementing samba+PDC+LDAP+ACL on a production machine, seems like living on the edge ^2....

Strangely it seems to be stated that samba will "transparently" (???) cope with posix ACLs? See http://www.suse.de/~agruen/acl/linux-acls/online/

I'll keep you informed and am very interested in your experiences.
_________________
Cheers
Jeroen
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
May The Source be with you!

[amasidlover]

I've done a lot of reading around the subject and it looks like I'm going to be able to set up Samba as a PDC using LDAP log-ons without _too_ much difficulty or at least without any show-stopping issues. This idealx guide looks like a good starting point.

And as far as I can tell virtually every app I'm looking at using will allow LDAP authentication so I may be getting close to a 'single-sign-in' system.

The only thing that I'm really stuck on now is application support for ACLs, which may be a complete show-stopper as far as ACLs are concerend - at the moment it may have to rely on scheduled cron jobs to store and recreate ACLs regularly if I want to guarantee that they stay around...

As for other apps, this is the line up so far (Scat is a helpdesk app which I wrote - currently not open source, but that may change):

External Web Service - Apache
LDAP for user management - OpenLDAP
File Serving - Samba/NFS (LDAP Auth)
Remote (Web) File Access - Horde (Gollem) (LDAP Auth)
Printing (inc. print accounting) - Cups + Pykota (LDAP Auth)
Groupware - openxchange***(LDAP Auth)/opengroupware
Project Management Software - Scat4?
CRM Software - Scat3?
Time Tracking - Scat4?
IMAP (LDAP for auth) - Courier/Cyrus
SMTP - Postfix
Spam + Virus - Clam AV, Spamassassin, Razor & Pyzor
VOIP - Asterisk (LDAP Auth?)
Accounting + Payroll - Clocksoft
mailing lists - Majordomo
VPN - OpenVPN? (LDAP Auth?)
File versioning - CVS + WebCVS (LDAP Auth)
DNS + DHCP
File Mirroring inc. Disaster recovery tests
BACKUP (decide on cycling)

Desktop Apps:
Gnome
Evolution (w/multisync)
OpenOffice
Abiword
Gnumeric
Firefox
Gimp
Inkscape
rhythmbox
Octave + Gnuplot
Lyx
acroread

Desktop/Laptop Custom Software:
Auto-replicate/rsync for off-net/VPN usage

To be honest deciding on the apps for each use has been quite straightforward, the key is going to be being able to scale and disaster recover effeciently. I'm going to have to create a set of scripts for each part that store the config and data and that can restore it onto a blank machine.

[eikketk]

FYI: there's a mailing list manager with native LDAP capabilities: Sympa (http://www.sympa.org/)

Courier-imap is nice using authdaemond and its ldap capabilities.

You should use subversion instead of CVS
_________________
Working day and night to enhance the Linux Desktop Experience

Homepage

[JeroenV]

Anyone got ssh + pam_ldap working?
No matter what I do, I can't see any activity on the ldap server when ssh'ing and access is allways denied for users that are only in ldap. All other pam_ldap links (su, passwd, etc) work fine.
_________________
Cheers
Jeroen
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
May The Source be with you!

[JeroenV]

Ok, got pam_ldap working for ssh too, by enabling ChallengeResponseAuthentication in /etc/sshd_config and fiddling a bit with the order of rules in /etc/pam.d/sshd

Now I have a fully working PDC+LDAP, next step is overhaul to ACLs

One big problem I can't seem to tackle:
https://forums.gentoo.org/viewtopic.php?p=1815469#1815469
_________________
Cheers
Jeroen
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
May The Source be with you!

[robbo312]

[JeroenV]

Sounds good

I'd surely celebrate the day that I have the opportunity to replace WinXP by linux on the desktops as well, but unfortunately most people are still too afraid of compatibility issues.

(And I must say, it is virtually impossible to be compatible with such garbage as e.g. Word files, in fact, Word itself isn't)

But that's another story... I will consider implementing AFS at home.
_________________
Cheers
Jeroen
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
May The Source be with you!

[robbo312]

[amasidlover]