Christopher,
I've had great success using OpenLDAP with nss_ldap and NSCD on Slackware,
RADIUS backed by OpenLDAP on VyOS, and nss_ldap and pam_ldap for the odd
CentOS server.
I have roughly 175 servers authenticating from OpenLDAP for roughly 200
users. Each server is configured with two LDAP service addresses and 1
second timeouts. If one server cluster goes down, the client flips to the
secondary cluster after 1 second. NSCD keeps information cached so a
downed cluster is only noticeable during authentication (currently only
experienced this during planned tests). All critical servers have an
OpenLDAP directory running locally so I can bootstrap my entire
infrastructure in event of the two data centers hosting the LDAP clusters
looses power/connectivity.
Each cluster is front ended by three servers running Keepalived with the
IPVS and VRRP subsystems enabled. The VRRP subsystem floats the service
address among the three load balancers and the IPVS subsystem splits the
incoming LDAP connections among the servers in the backend.
Additionally, I have a RADIUS server providing auth out of LDAP for network
devices and virtual appliance which do not directly support LDAP.
The cherry on top is that I have sudo compiled with LDAP support, so sudo
permissions are centrally maintained across all servers
I briefly experimented with using OpenLDAP for netgroups for sudo, but
opted instead to use sudo's host pattern matching (less indirect than net
groups and generates less lookups). I also looked into using LDAP for
/etc/hosts, but I generally keep minimal host files and could not justify
the additional deviation from base configs.
I've been running this setup for a few years. If you have any questions or
would like some examples, let me know and I'll see how difficult it would
be to sanitize configs and send them to you.
--David M. Syzdek
On Fri, Sep 9, 2016 at 4:09 PM, Christopher Howard <ch.howard@zoho.com>
wrote:
> Hi list. Anybody here played around much with different centralized
> authentication schemes in a Gnu/Linux environment? I'm going to set up all
> my Debian PCs & Laptops on my home network to be using centralized
> authentication, mainly so I can have a single login credential per user,
> but also authentication and permissions on file shares I'll set up down the
> road. From my own research, I think I'll try freeIPA first, as it sounds
> like it might be easy to manage, and because sssd is supposed to support
> cached logins. But I'm open to second opinions.
>
> --
> https://qlfiles.net
> My PGP public key ID is 0x340EA95A (pgp.mit.edu).
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>
--
"I'm religious but not spiritual."
--Cardinal Francis George, O.M.I.
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Sep 9 16:54:58 2016
This archive was generated by hypermail 2.1.8 : Fri Sep 09 2016 - 16:54:58 AKDT