Christ, I've been in a corporate environment too long. I was about to top post. On Mon, 19 Dec 2011, Craig T wrote:

Hi,

Has anyone successfully deployed OpenLDAP/IPA or even 389 DS for central auth in a very mixed unix environment? With Host based access control?

Redhats new IPA 2.0 product on paper looks brilliant, I just keep finding bugs and it's feeling just too new to deploy commerically at the moment (happy to be proven wrong).

My needs; - Central Auth - Host based access control (e.g. user "John" from group "accounts" can't log into "development servers".

Um, yes, the BoM uses openldap for its unix clients. Unix being HP-UX and rhel4,5,6 (and one or two solaris machines). Host based control in our case being host attributes attached to each user saying which hosts they could connect to.

- Caching for Client logins on laptops. I figure SSSD will be useful here?

I dunno - we don't use that, but there is some caching involved - in that I occasionally have to run "nscd -i passwd" when I run out of patience for a particular user to be admitted to a machine after I screw something up. Unfortunately, what I can't tell you about how it is set up, is much else other than "it works" and "rhel6 was more complicated, and I don't know the details, other than we ended up symlinking 3 different client config files onto the 1 file, otherwise people were being allowed into machines they weren't granted access to" (/etc/pam_ldap.conf /etc/ldap.conf /etc/openldap/ldap.conf). If you want specific snippets from specific files in our config, ask away - I don't really know what I'm doing when it comes to ldap, but I don't think I can see much confidential in there. I have no idea how the database was set up and how you go about adding host attributes in the first place. HTH, HAND!

- Encryption (This looks pretty straight forward in the OpenLDAP 2.4 doco)

Client OS's involved; - Solaris 9/10 - Fedora 15/16 - Centos 5/6

-- Tim Connors