||11 months ago|
|kerberos||1 year ago|
|ldap||11 months ago|
|README.md||1 year ago|
|main.yml||11 months ago|
This container provides authentication services to other containers (LDAP and Kerberos).
Here are some recommended readings for LDAP:
It is a good idea to become familiar with the
ldapsearch(1) utility. Here's
a good resource to get started:
For example, on the CSC servers, you can query information about yourself:
ldapsearch -x uid=your_username
You can query the UW LDAP servers to see your student info:
ldapsearch -x -h uwldap.uwaterloo.ca -b dc=uwaterloo,dc=ca uid=your_username
You can also see your Active Directory information:
ldapsearch -x -h mixta.teaching.ds.uwaterloo.ca -b 'dc=teaching,dc=ds,dc=uwaterloo,dc=ca' sAMAccountName=your_username
Note that we do not use LDAP for authentication; we only use it for NSS (specifically, passwd and shadow information). For authentication, we use...
Here are some recommended readings for Kerberos: https://wiki.csclub.uwaterloo.ca/Kerberos https://en.wikipedia.org/wiki/Kerberos_(protocol) https://web.mit.edu/kerberos/krb5-1.12/doc/index.html
Kerberos is an old, yet still widely-used, protocol for authentication and single sign-on. You should be familiar with kinit(1), as well as the basic commands for kadmin(1) (e.g. addprinc, modprinc, ktadd, etc.).
When you login to any of the CSC servers, you should acquire a Kerberos ticket with kinit(1). This ticket allows you to login to any of the other CSC machines without having to re-enter your password, as well as a few other services like using ldapsearch(1) with SASL, sending email, etc.
All of the passwords for the Kerberos principals in this dev environment are "krb5" (no quotes).
Once you have run the playbook for the auth1 container, make sure you can login using Kerberos credentials:
lxc-attach -n auth1 login (enter "ctdalek" for username, "krb5" for password) id (should show "syscom" as one of the supplementary groups) kinit (enter "krb5") klist
The commands above should the Kerberos ticket you just acquired for the user "ctdalek". You should also be able run sudo, since sudo is configured via LDAP. Try SSH'ing into some of the other containers using your Kerberos ticket; you should not be prompted for your password.
If you want to see the keytab entries on a particular host:
klist -e -k /etc/krb5.keytab
It is important for each host to have a PTR record, otherwise SSH GSSAPI authentication will fail. The most recent version of the DNS playbook should have PTR records for each host.