|
phiglit_missally posted:I have an interesting problem. Couldn't you just use AD rather than replicate it into OpenLDAP? You can certainly make Linux boxes authenticate and authorize against AD. I assume you have other good stuff in your OpenLDAP and that's why you want to use it? You could always have one source of data for authentication (AD) and one for other goodness.
|
# ¿ Mar 25, 2007 06:04 |
|
|
# ¿ Mar 28, 2024 17:12 |
|
Without Pants posted:I'd really like to know this too. The scripts would probably be trivial to port over but... I'm lazy. Um logwatch for Linux is basically the same thing. You configure what you want, and it audits stuff and sends it to you. RHEL has it on by default and I normally just put a .forward file in ~/root if I care about those messages. If it's something specific then I can't help, but if it's general like * how many times did a user attempt login and fail * disk space * snippits from /var/log/secure then you are set.
|
# ¿ Mar 28, 2007 05:54 |
|
GT_Onizuka posted:Is there anyway to disable this? The better question is why are your hostkeys changing? If they change one on a rebuild, then I guess I understand, if your hostkeys are changing a lot, then you have other issues. (Or I guess you could be using DHCP). Either way, you lose a critical layer of security by simply ignoring hostkeys. <shamelessplug> http://www.amazon.com/Pro-OpenSSH-Michael-Stahnke/dp/1590594762>Buy my SSH BOOK! </shamelessplug>
|
# ¿ Mar 28, 2007 05:58 |
|
phiglit_missally posted:Right. We do not have direct control over our AD in my office, due to being owned by a bigger company. We have a lot more stuff that needs an extended schema though. Without divulging to much, we run game servers, game development environments, and host a lot of services like a wiki, ticket tracking, lots of mysql databases, and unix logins for the entire building. I would rather keep the Unix/Linux side working the way it is through ldap, just because it is working. I would just like to migrate at least some of the windows user accounts with our unix side. Ok, so for user information use AD and for Applications use OpenLDAP? Yeah, I am not really answering the question, let me try this. You won't be able to just dump the password out of AD and import it into OpenLDAP. The formats are not the same. You could run some kind of cracker against AD, but since you said your area doesn't own AD, you would probably get in trouble for that. So, time for more options. Write a password change screen. When a user needs to change their password, intercept the change and then call the native openLDAP change and the AD change on the back end. To import users from AD, use Perl, Python, PHP, C, whatever and just dump them via an LDAP search refined to whatever you needed. Another option would be to use some sort of Metadirectory to populate certain attributes. As far as partial replication of just he user containers in AD to OpenLDAP, I am not sure it can be done. If it can, I don't have great answers on it. So, I may have just filled your thread with nothing. If so sorry. If not, cheers.
|
# ¿ Mar 28, 2007 06:03 |