# LDAP and access control lists ( ACL )

## amasidlover

I'm just about to start my own small business, and am starting to think about IT infrastructure. Ideally I'd like to have one method for authenticating against for logging - in, file sharing, webmail and some custom web applications. The best method looks to be LDAP.

I would also like to be able to manage access control lists (ACLs) (where users can be in multiple groups) for a couple of different things, firstly file access (through unix command line and through Samba/NFS) and also for accessing specific records in databases. The second bit I can write myself once I find software that will manage the ACL for me. I've searched google and the forums and it looks like linux can handle ACLs, but I can't find a howto or explanation of setting it up.

I've tried searching the forums and google for LDAP, ACL and Access Control List, but with no succes. I'd appreciate some suggestions..

Thanks,

Alex

----------

## Bigbeanpole

I know that novell uses acl's, and they're based on ldap ... you may find some documentation on their site as to how to setup linux to do this (seeing as how they're in the linux world with SuSe nowadays, I believe).

If you do find a solution, I'd be interested in hearing about it. I tried to setup ldap myself awhile back, and I failed miserably... most likely because I didn't have alot of time to play with it, and it was on a production machine (I know, silly me), but for my 3-4 users, I thought it would be neat if I could get it setup with ldap. *sigh* Not yet, I guess.  :Razz: 

But yeah...give Novell's site a try. They may have some how-to's buried in there somewhere.

----------

## JeroenV

Hi,

I'm currently implementing samba+PDC+LDAP+ACL on a production machine, seems like living on the edge ^2....

Strangely it seems to be stated that samba will "transparently" (???) cope with posix ACLs? See http://www.suse.de/~agruen/acl/linux-acls/online/

I'll keep you informed and am very interested in your experiences.

----------

## amasidlover

I've done a lot of reading around the subject and it looks like I'm going to be able to set up Samba as a PDC using LDAP log-ons without _too_ much difficulty or at least without any show-stopping issues. This idealx guide looks like a good starting point.

And as far as I can tell virtually every app I'm looking at using will allow LDAP authentication so I may be getting close to a 'single-sign-in' system. 

The only thing that I'm really stuck on now is application support for ACLs, which may be a complete show-stopper as far as ACLs are concerend - at the moment it may have to rely on scheduled cron jobs to store and recreate ACLs regularly if I want to guarantee that they stay around...

As for other apps, this is the line up so far (Scat is a helpdesk app which I wrote - currently not open source, but that may change):

External Web Service - Apache

LDAP for user management - OpenLDAP

File Serving - Samba/NFS (LDAP Auth)

Remote (Web) File Access - Horde (Gollem) (LDAP Auth) 

Printing (inc. print accounting) - Cups + Pykota (LDAP Auth)

Groupware - openxchange***(LDAP Auth)/opengroupware

Project Management Software - Scat4?

CRM Software - Scat3?

Time Tracking - Scat4?

IMAP (LDAP for auth) - Courier/Cyrus

SMTP - Postfix

Spam + Virus - Clam AV, Spamassassin, Razor & Pyzor

VOIP - Asterisk (LDAP Auth?)

Accounting + Payroll - Clocksoft

mailing lists - Majordomo

VPN - OpenVPN? (LDAP Auth?)

File versioning - CVS + WebCVS (LDAP Auth)

DNS + DHCP

File Mirroring inc. Disaster recovery tests

BACKUP (decide on cycling)

Desktop Apps:

Gnome

Evolution (w/multisync)

OpenOffice

Abiword

Gnumeric

Firefox

Gimp

Inkscape

rhythmbox

Octave + Gnuplot

Lyx

acroread

Desktop/Laptop Custom Software:

Auto-replicate/rsync for off-net/VPN usage

To be honest deciding on the apps for each use has been quite straightforward, the key is going to be being able to scale and disaster recover effeciently. I'm going to have to create a set of scripts for each part that store the config and data and that can restore it onto a blank machine.

----------

## eikketk

FYI: there's a mailing list manager with native LDAP capabilities: Sympa (http://www.sympa.org/)

Courier-imap is nice using authdaemond and its ldap capabilities.

You should use subversion instead of CVS  :Smile: 

----------

## JeroenV

Anyone got ssh + pam_ldap working?

No matter what I do, I can't see any activity on the ldap server when ssh'ing and access is allways denied for users that are only in ldap. All other pam_ldap links (su, passwd, etc) work fine.

----------

## JeroenV

Ok, got pam_ldap working for ssh too, by enabling ChallengeResponseAuthentication in /etc/sshd_config and fiddling a bit with the order of rules in /etc/pam.d/sshd

Now I have a fully working PDC+LDAP, next step is overhaul to ACLs

One big problem I can't seem to tackle:

https://forums.gentoo.org/viewtopic.php?p=1815469#1815469

----------

## robbo312

 *amasidlover wrote:*   

> I've done a lot of reading around the subject and it looks like I'm going to be able to set up Samba as a PDC using LDAP log-ons without _too_ much difficulty or at least without any show-stopping issues. 
> 
> To be honest deciding on the apps for each use has been quite straightforward, the key is going to be being able to scale and disaster recover effeciently. I'm going to have to create a set of scripts for each part that store the config and data and that can restore it onto a blank machine.

 

Hello,

If your looking to have linux on the desktop as well as server have a look at the AFS file system (http://www.openafs.org), it will be harder to setup and understand at first than Samba but it is a better overall 'way'.

The main reasons are is that it was designed to be used by multi-desktop's and servers with single authentication and ACL's in mind.

Other main features are; ACL's, Security, Caching, Replication, Single directory structure (/afs/home is the same /afs/home on all clients, etc) and Scaliability. 

For a more detailed FAQ: http://www.angelfire.com/hi/plutonic/afs-faq.html

In my opinion I would use...

AFS instead of Samba for file serving, 

Kerberos for Authentication instead of LDAP

and use LDAP for user information (perhaps even host information?)

all the best,

Richard...

----------

## JeroenV

Sounds good  :Exclamation: 

I'd surely celebrate the day that I have the opportunity to replace WinXP by linux on the desktops as well, but unfortunately most people are still too afraid of compatibility issues. 

(And I must say, it is virtually impossible to be compatible with such garbage as e.g. Word files, in fact, Word itself isn't)

But that's another story... I will consider implementing AFS at home.

----------

## robbo312

 *JeroenV wrote:*   

> Sounds good 
> 
> I'd surely celebrate the day that I have the opportunity to replace WinXP by linux on the desktops as well, but unfortunately most people are still too afraid of compatibility issues. 
> 
> But that's another story... I will consider implementing AFS at home.

 

OpenAFS do a Windows version (server and client) of AFS, it's not a neat as the Unix versions though.  Also Samba (and NFS) can serve files from an AFS system if wished.

You might want to look at Coda also, this has the all the features of AFS but includes disconnection operation which is useful for laptops or dodgy wireless links.  Link is http://www.coda.cs.cmu.edu/

Coda is not as advanced as AFS, and isn't recommended for hundred plus  users, so AFS is better where you wish to have a rock solid system.

----------

## amasidlover

 *robbo312 wrote:*   

> 
> 
> In my opinion I would use...
> 
> AFS instead of Samba for file serving, 
> ...

 

Hi, 

Thanks for that, I did look at using AFS some time ago (years...) but at the time it was overkill, I'll probably use it for this though.

I'm not sure what I gain by using Kerberos though as all web accessed services use https (and hence encrypt passwords anyway) and SSH encrypts passwords, this only leaves Samba clients (which can be configured to encrypt passwords) and AFS clients (or does AFS work like NFS and simply trust the host to be honest about uids?) I won't be allowing use of FTP without separate user-ids and passwords.

Have I missed anything?

Alex

----------

