pier paolo gentili, 123RF
Migration from LDAP to FreeIPA
Watchdog
Many environments use an LDAP server to manage user and group accounts. Often, these servers will also be used for user authentication. However, this setup assumes that the user objects in LDAP have a password attribute. Of course, this attribute requires special protection. Only the user and an LDAP administrator should be allowed to change it. Appropriate access control lists make this relatively easy to achieve.
Problem Password
Nevertheless, user authentication based on the password attribute is not without risk. In the simplest case, it is handled by a Simple BIND operation. This involves the user password crossing the wire in clear text to the LDAP server, which then attempts to authenticate the user with the supplied password. If this step succeeds, the user is logged in to the client system; otherwise, an error message is returned. A secure configuration thus requires the user password to be transferred via a secure communication channel in each case, which could be implemented at the application level using SSL/TLS, for example.
In addition to the Simple BIND method, LDAPv3 supports authentication based on SASL (Simple Authentication and Security Layer, RFC 4422). This approach includes a whole range of methods for verifying a user – for example, using a Kerberos ticket or an X.509 client certificate. However, setting up and configuring such an environment is not always easy, partly because it assumes proper mapping between the user object in LDAP, which is represented by a Distinguished Name (dn) and the matching Kerberos principal or X.509 client certificate.
Alternatively, it is possible to perform authentication directly via a Kerberos server and only query the LDAP server for the user's account details. However, such a setup is quite complex and unwieldy; anyone who has been through the pain of using the Kerberos client tools will know what I'm talking
...
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
ID Views smooth migration to a new identity management system
POSIX attributes are permanently connected to a user account, and they help identify the user; however, this permanent connection can lead to difficulties when migrating from one identity management system to another. ID Views help you make migration go smoothly. -
Integrating FreeIPA with Active Directory
Many companies use Active Directory for centrally managing existing systems, but if you mix in Linux systems, you have to take care of a few things, such as different forms of integration. We show you how to connect the FreeIPA identity management framework as an interface to an Active Directory domain. -
The System Security Services Daemon
The current version of the System Security Services Daemon (SSSD) lets you evaluate sudo rules centrally on an LDAP server, even if the LDAP server is inaccessible. -
Single sign-on with SSSD, LDAP, and Kerberos
Mobile users need a connection to the LDAP and Kerberos servers to authenticate over insecure IP networks. The System Security Services Daemon (SSSD) helps plug this gap. -
Password management with FreeIPA
Passwords should be safe, but easy to remember – a contradiction that can be difficult to resolve. One remedy is a password manager that stores all passwords centrally. The open source tip this month shows a different approach: FreeIPA.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
