[Micronet] Unix auth against CalNetAD?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Unix auth against CalNetAD?

Nathaniel Baldwin-2
Hey everyone,

We run a small cluster (~15) of Ubuntu workstations, and our clients who use the workstations have recently asked if they could login to these workstations with their CalNet credentials instead of the accounts in our local LDAP installation. Looking at the documentation out there at a glance it looks pretty non-trivial, and possibly like the CalNetAD implementation would have to specifically support some unix attributes. Does anyone have any experience with trying to do this?

thanks,

--
Nat Baldwin
Unix Systems Supervisor
Infrastructure Services, SA-IT
UC Berkeley

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Unix auth against CalNetAD?

Ryan Lovett-2
Hi Nat,

There are many possible ways of provisioning UNIX accounts via CalNet directory services and kerberos auth, but all require that you run a complementary component yourself. Neither CalNet nor CalNetAD include the posix attributes in their schema so you will need to store that data. The easiest way, if you don't have many users, is to manually create accounts in a local directory service and do authentication with pam_krb5. Platforms like SSSD and Samba can accomplish what you want, but require more setup. OpenLDAP's overlays can add posix attributes to a local store while proxying everything else from CalNet. I've got a docker container which can do this, but it needs to remap and overlay CalNet's dn/uid. 

So lots of options, but nothing turn-key.


Ryan

On Mon, Jun 8, 2015 at 3:58 PM, Nathaniel Baldwin <[hidden email]> wrote:
Hey everyone,

We run a small cluster (~15) of Ubuntu workstations, and our clients who use the workstations have recently asked if they could login to these workstations with their CalNet credentials instead of the accounts in our local LDAP installation. Looking at the documentation out there at a glance it looks pretty non-trivial, and possibly like the CalNetAD implementation would have to specifically support some unix attributes. Does anyone have any experience with trying to do this?

thanks,

--
Nat Baldwin
Unix Systems Supervisor
Infrastructure Services, SA-IT
UC Berkeley


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.