Openldap goals and lessons learned:¶
Goals:¶
ID steps to renew ldap server certs (including the CA cert)
ID steps to enforce cert verification:
TLS_REQCERT demand
Configure UNIX authentication through ldap
Authentication information:
Groups (done ~)
Users (done ~)
ssh public keys
ssh private keys (particularly, if we can force ‘em to be passphrase protected and use a forced command.
sudo (see sets in ch 8.5)
Authentication restrictions:
Certain users on certain systems only
Password aging (overlay (chapter 12))
Password complexity (overlay (chapter 12))
tcpwrappers
Configure sudo through ldap
Configure automounted home dires through ldap
Create cmdb in ldap? host info - for use w/puppet.
Configure puppet ENC to use ldap
Build/configure openldap from scratch for experience; however, primary goal is to use rpms for patching capability.
Study/experiment w/ldap ACLs, including security strength factors (ssf)
Configure pictures in the ldap directory. (can be base64 encoded ascii string)
Study/experiment w/ access/audit logging, particularly for samba.
Deconflict nslcd and sssd in a mixed environment (legacy/sssd)
User authentication: nslcd: constant pwd change requirements