So I'm looking for a solution for ssh key authorisation access to numerous servers, and have been pointed towards using LDAP. I wanted to present the use case and see if LDAP would be applicable and any suggestions or help would be appropriated.
Would it be possible to use LDAP to restrict access to specific servers per user/group using ssh keys. So a user tries to access a box which would bounce out to the LDAP server with the server and user details. This would then check if that person has access to that server and potentially return the correlating key to grant access.
After some research it seems possible to do the above, but I couldn't find anywhere where its for specific servers.
Also is openLDAP the best to use, I've tried setting this up and run into several issues like checksum on config files etc.
Related
I am new to Ldap. I'm using windows10 OS and I'm trying to connect to a remote ldap server in order to perform an ldapsearch operation. I have browsed about this but till now I have only come across very very complicated steps and I'm not sure if its the right way as well.
So can someone share the steps in order to achieve this?
I would rather recommend Apache Directory Studio that works pretty similar to any other kind of LDAP browse, such as the above mentioned Softerra.
However, on Wikipedia you can find an exhausting List of LDAP software.
You could use the an LDAP browser, such as the Softerra LDAP Browser.
https://www.ldapadministrator.com/softerra-ldap-browser.htm
Then you enter the URL and authentication data of the server where you want to connect and you're ready to browse the data.
You will probably pass a "bind DN" (which identifies the user) and the password of him.
I'm setting up a Jenkins server for a project of my company.
I configured the security realm to use LDAP and had no problem until we decided to hire external development team along with our devs.
We cannot create LDAP accounts for them for some reasons, however it is essential to use CI server together to collaborate and to get benefits of using CI server.
Is it possible to add external users who are not in LDAP?
I can think of only one solution so far.
use 'Jenkins's own user database' instead of 'LDAP' and create all users manually.
Any other solutions for this situations?
Seems like PAM is the way to go.
I haven't done it and am looking into doing it, but here is a suggestion from the lead Jenkins developer: http://jenkins-ci.361315.n4.nabble.com/Mixed-mode-authentication-td3447248.html
I don't think so , probably the best you can do it try to persuade your network security team to add the external development team to your LDAP system giving them a different security role.
For example you could create roles for jenkins_admin, jenkins_staff, jenkins_contractor and then give them different privileges but without rights to other resources.
How will you allow your external development team to commit to your SCM?
From how many ways can I log in to cPanel or In how many ways I can access to my cPanel ?
I want to ask that is there any another way to login to cPanel ? Please
There are various ways of logging into a cPanel/WHM server. Many of these logins are for different types of access. Below are the common logon screens assuming any_donmain.tld is a domain hosted on the server or the server IP address.
WHM: for performing administrative functions
https://any_donmain.tld2087 or http://any_donmain.tld/whm
cPanel: for your web-hosting control panel.
https://any_donmain.tld:2083 or http://any_donmain.tld/cpanel
Webmail: For checking email accounts
https://any_donmain.tld:2096 or http://any_donmain.tld/webmail
Additionally there is a command line interface on your server called SSH. You will need to contact your server provider for information on accessing ssh including the port it runs on.
I've been reading about how you should set specific service accounts to each sql service, but from what i've read, none have been detailed enough on how to properly create one, would anyone mind explaining what would be the steps on how to create a local, low permission account for the sql service on windows?
Some basic information is available at http://msdn.microsoft.com/en-us/library/cc281953.aspx
I tend to make domain user accounts with no particular rights on the network apart from what the account would normally receive (eg domain users). During SQL Server installation you provide these accoounts to the SQL installer - it will correctly configure the accounts for you (adding them to certain groups, etc).
If you're doing it after SQL installation the correct way to change the service account is to use the SQL Server Configuration Manager (in your start menu) as it will ensure the accounts are, once again, correctly configured.
Using domain accounts is great as you can then grant the service accounts access to particular network shares (backups) and other database servers (linked servers, etc).
As an additional measure if your network resources (file shares, etc) are secured using custom made security groups, rather than "domain users", your SQL Server services won't have access to these areas of the network they shouldn't be able to reach. I personally haven't tried removing the "domain users" membership - you can't break anything by giving it a go on a VM? :)
This site describes the different options to use the least privileges and the danger of the other options:
WHEN TO USE DOMAIN USER ACCOUNT?
WHEN TO USE NETWORK SERVICE ACCOUNT?
WHEN TO USE LOCAL USER ACCOUNT?
WHEN TO USE LOCAL SYSTEM ACCOUNT?
-
-
http://goo.gl/vG55n
So I'm setting up a dedicated server using Debian 5 Lenny. I will be using some Atlassian Tools (JIRA, Confluence, Bamboo, and Fisheye). I want to use a local LDAP server to store information for the users that will be accessing these software titles, so that they can use one set of credentials to log in.
I also want webmail users to be configured using LDAP.
However, this is a small operation. Three people. That's why all of the software, including the ldap server, will all be on the same machine.
That said, is it safe to use LDAP to store user credentials (including passwords) in LDAP without using Kerberos? I'm confused as to when Kerberos should be used.
Hypothetically, let's say I had two servers on a subnet. Server A received requests from the outside world, for atlassian tools. Server a communicates to ldap server (internally) on server b. In that case, would I use kerberos?
When do I use Kerberos? When do I not?
I am not setting anything like "Active Directory" up. No Samba either. Users do not need to login to a domain (with access to files on the domain), they just need to login to webapps. But if I was doing LDAP on it's own dedicated machine, then I might want Kerberos?
:confuzzled: :(
-Sam
The simplest possible answer is yes, it is possible to store user names, user ids, and passwords without using Kerberos, and in fact directory services accessed via LDAP are an excellent tool for storing this sort of authentication and authorization information.
Update:
In my opinion, if you do choose an open source server, you will find OpenDS to be superior to OpenLDAP or Apache.
Basically, if you have Kerberos, you do not need any directory server. If you aren't in a corporate environment and are looking for an identity management store, you should definitively go for a directory server like OpenLDAP or Apache Directory. Kerberos require running a correctly set up DNS and NTP server. This might be way to much. Even if you do, those lazy morons from Atlassian still did not implement Kerberos support into their products. You can't even go with that.
I just noticed that there are only three of you, maybe a simple database setup with MySQL would suffice instead of running a full-blown directory server?