Openldap goals and lessons learned:

Goals:

• ID steps to renew ldap server certs (including the CA cert)

• ID steps to enforce cert verification: TLS_REQCERT demand

• Configure UNIX authentication through ldap

  • Authentication information:

    • Groups (done ~)

    • Users (done ~)

    • ssh public keys

    • ssh private keys (particularly, if we can force ‘em to be passphrase protected and use a forced command.

    • sudo (see sets in ch 8.5)

  • Authentication restrictions:

    • Certain users on certain systems only

    • Password aging (overlay (chapter 12))

    • Password complexity (overlay (chapter 12))

    • tcpwrappers

• Configure sudo through ldap

• Configure automounted home dires through ldap

• Create cmdb in ldap? host info - for use w/puppet.

• Configure puppet ENC to use ldap

• Build/configure openldap from scratch for experience; however, primary goal is to use rpms for patching capability.

• Study/experiment w/ldap ACLs, including security strength factors (ssf)

• Configure pictures in the ldap directory. (can be base64 encoded ascii string)

• Study/experiment w/ access/audit logging, particularly for samba.

• Deconflict nslcd and sssd in a mixed environment (legacy/sssd)

  • User authentication: nslcd: constant pwd change requirements