| View previous topic :: View next topic |
| Author |
Message |
meyerm
Veteran
Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany
|
 Posted: Fri Jan 07, 2011 4:19 pm Post subject: central configuration and authentication |
 |
|
| tl;dr wrote: | | What to use as a distributed/replicated authentication, authorization and configuration directory? LDAP or postgresql? |
Hello everybody,
I plan to set up a Xen based virtual environment with a strong partitionment of servers for security, ease of administration (perhaps some special application needs a fixed version of libXZY and would block the rest of the system), and the potential of migrating later to a second machine.
My picture of partitionment would include the following VMs:
- login server (pam/ssh/sftp) lets choosen user login with a full local account and a few admin users with sftp only for manging the websites. Here, everybody with ssh-access should somehow be able to change the password for the whole federation.
- web server (Apache) serves websites of virtual domains, perhaps including "/~localuser" homepages for the users on the shellserver.
- mail server (Postfix/dovecot) handles all incoming (and perhaps outgoing) mails for several virtual domains.
- jabber server (jabberd2) offers XMPP-services to everybody virtual user having a mail account.
- dns server (PowerDNS) somebody must tell the world about the domains. If possible it should also be a slave for external DNS and provide DynDNS-services. But that's optional for now.
- vpn server (OpenVPN) allows external computers to login into the internal/virtual network. Some of the users in the system should be allowed to do that by a simple change in the authentication/authorization database. Perhaps including their certificates? We'll see. This VPN server is only secondary.
- directory server (???) is the ominous source of magic and wonders. Here, everthing should be done centrally.
This directory service should be a central instance where I'm the only one having access. My idea would be to have some kind of slave on each of the servers mentioned above of the directory/configuration-daemon - perhaps even read-only if possible and only a subset of the data. So each instance would be able to run on its own (websites f.ex. are kept on the webserver and exported via NFS to the login server) without beeing dependant on another beeing available. Changes should be propagated by the central master to the slaves.
What exactly should this central directory offer?
- authentication for real and virtual users
- configuration of domains for DNS, mail, jabber, and web
- mail and perhaps other configurations per (virtual) user (spamfiltering yes/no etc.)
- authorization of admin users for managing domains/mail etc (using special script/webapps/applications)
- this includes groups
- if feasable a possibilty to distribute to slaves like mentioned above
- other stuff?
After checking a lot of websites I came to the conclusion that all of the projects support either LDAP or postgresql as a source for their data. Right? Now, the short question following this long explanation would be, what's the better and easier choice to implement? There is no existing infrastructe and it's my own small "network". So solutions as Kerberos seem like overkill (and would still need some other underlying directory). LDAP or postgresql? Is this replication stuff even possible with each of them?
The longer question would even ask for your general opinion. Perhaps I'm on a wrong way with all this? Better solutions? Do you see problems with using these approaches? Dump the whole replication stuff and try to cluster the directory and start two VMs with it? Do you already have a similar setup? How did you solve this?
Thank you very much for reading until here! Thank you even more if you start a discussion about that in this thread.
Yours,
M |
|
| Back to top |
|
 |
gerdesj
l33t
Joined: 29 Sep 2005
Posts: 622
Location: Yeovil, Somerset, UK
|
| Posted: Sat Jan 08, 2011 2:07 am Post subject: Re: central configuration and authentication |
|
|
Get your DNS set up so that all devices can resolve each other correctly first then set up a Samba PDC with the password back end of your choice (LDAP probably)
Then setup Samba on your clients then domain join them to the PDC. Windows machines if needed will also fit in ...
Job done!
If your DNS domain is example.co.de then set in /etc/krb5.conf your kerb domain to EXAMPLE.CO.DE and in Samba your AD domain is EXAMPLE.CO.DE and the workgroupname is EXAMPLE
This will give you a centralized user database. Now application configuration is a different matter and I suggest you post queries to the forums for each piece.
You wont go wrong with an OpenLDAP backend because many applications can use that.
Cheers
Jon |
|
| Back to top |
|
|
meyerm
Veteran
Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany
|
| Posted: Sun Jan 09, 2011 6:10 pm Post subject: Re: central configuration and authentication |
|
|
Hi Jon,
| gerdesj wrote: | | Get your DNS set up so that all devices can resolve each other correctly first then set up a Samba PDC with the password back end of your choice (LDAP probably) ... |
your suggestion of using Samba is indeed an interesting one. I didn't think of it before. So basically you're saying I should rely on the LDAP-variant but then not use the native connections and/or PAM to access it but using Samba as a Kerberos setup?
I wanted to refrain from using Kerbereos since I'm scared by its assumed complexity for my small federation of computers. You make it sound comparatively easy . On the other hand I won't need windows compatibility - so isn't Samba with all its Windows-AD compatibility/RPCs more overhead than mit-krb5? And the second question would be, what advantages do get by using Kerberos compared to a LDAP-only variant (given that all relevant daemons are able to use LDAP itself) despite of not needing to export the password-hashes to each computer?
Thank you very much for sharing your experience,
M |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
