[prev in list] [next in list] [prev in thread] [next in thread]
List: aix-l
Subject: Re: ldap and Kerberos
From: Holger van Koll <Holger.vanKoll () SWISSCOM ! COM>
Date: 2009-08-28 7:44:23
Message-ID: C10F29AB06447B4881FC0DE1E302E2F2F936D6FA () sg000036 ! corproot ! net
[Download RAW message or body]
as far as I know you cannot use netgroups anymore with LDAP when you use ke=
rberos for authentication.
am I right?
________________________________
From: IBM AIX Discussion List [mailto:aix-l@Princeton.EDU] On Behalf Of jks=
tevenson@MICRON.COM
Sent: Thursday, August 27, 2009 6:15 PM
To: aix-l@Princeton.EDU
Subject: Re: ldap and Kerberos
You can use netgroups within LDAP to control who can login to what server..
Jon
From: IBM AIX Discussion List [mailto:aix-l@Princeton.EDU] On Behalf Of AIX
Sent: Thursday, August 27, 2009 10:02 AM
To: aix-l@Princeton.EDU
Subject: Re: ldap and Kerberos
This is a usual question that I have been asked :
In case we create a user in LDAP, how we can restrict the user to access on=
ly few servers.
I believe that is the place Kerberos come to play.
Is there any other solution to restrict users accessing servers that are us=
ing LDAP ?
From: IBM AIX Discussion List [mailto:aix-l@Princeton.EDU] On Behalf Of Mil=
ls, John T
Sent: Thursday, August 27, 2009 9:31 AM
To: aix-l@Princeton.EDU
Subject: Re: ldap and Kerberos
If run in conjunction with AD, kerberized ldap installs will allow full use=
of account administration. Without kerberos, you can pull the password fo=
r authentication only.
John T. Mills
________________________________
From: IBM AIX Discussion List [mailto:aix-l@Princeton.EDU] On Behalf Of Tan=
sley, David
Sent: Thursday, August 27, 2009 8:51 AM
To: aix-l@Princeton.EDU
Subject: ldap and Kerberos
Hello.
Can someone explain the benefits if any ,of running Kerberos and ldap toget=
her, instead of just using ldap ( TDS) for authentication.
Thanks
DT
David Tansley
Email: david.tansley@acegroup.com
____________________________________________________________________
This email is intended for the designated recipient(s) only, and may be con=
fidential, non-public, proprietary, protected by the attorney/client or oth=
er privilege. Unauthorized reading, distribution, copying or other use of t=
his communication is prohibited and may be unlawful. Receipt by anyone othe=
r than the intended recipient(s) should not be deemed a waiver of any privi=
lege or protection. If you are not the intended recipient or if you believe=
that you have received this email in error, please notify the sender immed=
iately and delete all copies from your computer system without reading, sav=
ing, or using it in any manner. Although it has been checked for viruses an=
d other malicious software ("malware"), we do not warrant, represent or gua=
rantee in any way that this communication is free of malware or potentially=
damaging defects. All liability for any actual or alleged loss, damage, or=
injury arising out of or resulting in any way from the receipt, opening or=
use of this email is expressly disclaimed.
______________________________________________________________________
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.21089" name=GENERATOR><!--[if !mso]>
<STYLE>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</STYLE>
<![endif]-->
<STYLE>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Comic Sans MS";
panose-1:3 15 7 2 3 3 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Verdana","sans-serif";
color:blue;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-US vLink=purple link=blue>
<DIV dir=ltr align=left><SPAN class=775584307-28082009><FONT face="Trebuchet MS"
color=#0000ff size=2>as far as I know you cannot use netgroups anymore with LDAP
when you use kerberos for authentication.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=775584307-28082009><FONT face="Trebuchet MS"
color=#0000ff size=2>am I right?</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=de dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> IBM AIX Discussion List
[mailto:aix-l@Princeton.EDU] <B>On Behalf Of
</B>jkstevenson@MICRON.COM<BR><B>Sent:</B> Thursday, August 27, 2009 6:15
PM<BR><B>To:</B> aix-l@Princeton.EDU<BR><B>Subject:</B> Re: ldap and
Kerberos<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Verdana','sans-serif'">You
can use netgroups within LDAP to control who can login to what
server..<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: \
'Verdana','sans-serif'"><o:p> </o:p></SPAN></P> <P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: \
'Verdana','sans-serif'">Jon<o:p></o:p></SPAN></P> <P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: \
'Verdana','sans-serif'"><o:p> </o:p></SPAN></P> <DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; \
PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; \
BORDER-BOTTOM: medium none"> <P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> IBM AIX Discussion
List [mailto:aix-l@Princeton.EDU] <B>On Behalf Of </B>AIX<BR><B>Sent:</B>
Thursday, August 27, 2009 10:02 AM<BR><B>To:</B>
aix-l@Princeton.EDU<BR><B>Subject:</B> Re: ldap and
Kerberos<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">This
is a usual question that I have been asked :<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: \
'Calibri','sans-serif'"><o:p> </o:p></SPAN></P> <P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">In
case we create a user in LDAP, how we can restrict the user to access only few
servers.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">I
believe that is the place Kerberos come to play.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: \
'Calibri','sans-serif'"><o:p> </o:p></SPAN></P> <P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">Is
there any other solution to restrict users accessing servers that are using LDAP
?<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: \
'Calibri','sans-serif'"><o:p> </o:p></SPAN></P> <P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: \
'Calibri','sans-serif'"><o:p> </o:p></SPAN></P> <DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; \
PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; \
BORDER-BOTTOM: medium none"> <P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> IBM AIX Discussion
List [mailto:aix-l@Princeton.EDU] <B>On Behalf Of </B>Mills, John
T<BR><B>Sent:</B> Thursday, August 27, 2009 9:31 AM<BR><B>To:</B>
aix-l@Princeton.EDU<BR><B>Subject:</B> Re: ldap and
Kerberos<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">If
run in conjunction with AD, kerberized ldap installs will allow full use of
account administration. Without kerberos, you can pull the password for
authentication only.</SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">John T.
Mills</SPAN><o:p></o:p></P></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center>
<HR align=center width="100%" SIZE=2>
</DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> IBM AIX Discussion
List [mailto:aix-l@Princeton.EDU] <B>On Behalf Of </B>Tansley,
David<BR><B>Sent:</B> Thursday, August 27, 2009 8:51 AM<BR><B>To:</B>
aix-l@Princeton.EDU<BR><B>Subject:</B> ldap and Kerberos</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Comic Sans \
MS'">Hello.</SPAN><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Comic Sans MS'">Can someone explain the
benefits if any ,of running Kerberos and ldap together, instead of just using
ldap ( TDS) for authentication.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Comic Sans \
MS'">Thanks</SPAN><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Comic Sans MS'">DT</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P><EM><U><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">David
Tansley</SPAN></U></EM><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> <BR><BR>Email:
david.tansley@acegroup.com </SPAN><o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P
class=MsoNormal><BR>____________________________________________________________________<BR>This \
email is intended for the designated recipient(s) only, and may be confidential,
non-public, proprietary, protected by the attorney/client or other privilege.
Unauthorized reading, distribution, copying or other use of this communication
is prohibited and may be unlawful. Receipt by anyone other than the intended
recipient(s) should not be deemed a waiver of any privilege or protection. If
you are not the intended recipient or if you believe that you have received this
email in error, please notify the sender immediately and delete all copies from
your computer system without reading, saving, or using it in any manner.
Although it has been checked for viruses and other malicious software
(“malware”), we do not warrant, represent or guarantee in any way that \
this communication is free of malware or potentially damaging defects. All liability \
for any actual or alleged loss, damage, or injury arising out of or resulting in
any way from the receipt, opening or use of this email is expressly
disclaimed.<BR>______________________________________________________________________<o:p></o:p></P></DIV></BODY></HTML>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic