![]() |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
For years I've held out hope that someone would come up with a turnkey mechanism for deploying Kerberos/RADIUS/LDAP throughout a Linux distro but my hopes have not been realized, even with latest openSUSE et al. Searching the BLU archives and/or Google leads me to tantalizing but ultimately frustrating leads on this. Before I task one of my engineers with a 6-month project to come up with a solution for our company, I'm wondering if there are any shortcuts that I can use to get things up and running more quickly. First I'll list some of the resources to be managed: Subversion, MySQL back-end databases, Nagios (apache), Cacti, the office VPN (Juniper), MS Exchange, JIRA, Confluence, Linux shell, Cisco/Dell/Foundry gear, and so forth. Scanning the past 1000 resumes I've seen on my desk, these tools are not rare--indeed they are ubiquitous. I probably have to type my password 200 to 500 times a day. Everyone who works for me probably has to do more. Adding or deleting an employee doesn't really completely happen until days or even months after the fact, and IT audits never go as smooth as you'd hope because there's always a lingering stale account lying around. What I want is to maintain all authentication (password) and authorization (group membership and entitlements) in Active Directory on a primary and backup domain server, and mirror that via Kerberos/LDAP/RADIUS to a pair of Linux boxes at each data center. Starting with the Apache web-server resource, I want users to be able to authenticate first thing in the morning and never have to type a password again for any of the resources mentioned above. You'd be amazed at the contortions performed by the folks who have published Apache 2.2 configuration recipes to accomplish this--and none of them worked for me out of the box (I got authentication but not authorization working; what's going on is the A.D. domain string gets appended to the username and then LDAP lookups fail, so you still need to patch Apache source code, change UDP/TCP settings, use 'snoop' and 'tcpdump', then scratch head--nothing turnkey about it). I wasted 2 days on this last week and realized that it's time to ask for help. MIT Athena invented this technology a quarter century ago and I want it *now*. Any success stories among y'all? -rich