First and foremost, a little bit about my background. I am a 22 year old software engineer. I work at a large company during the summer, and I am finishing up my degree during the "school year". I have a C/C++ background, and wrote most of that respective code on Windows machines, in Visual Studio.
At my school, however, we must use Unix (Debian) to submit all of our projects. That said, they must compile and run properly with gcc/g++ before we submit them. As a result, I started tailoring all of my projects to always run in Unix, as I became more familiar with Unix programming standards. I now use eclipse with gcc/g++ to write all my code for school.
So recently, I've been further building upon my linux knowledge. I have a dedicated server, with Debian 6 Squeeze installed. I'm looking to set up an Archiva repository, 4 or 5 Atlassian products, a subversion repository, and an e-mail server.
Here's what I want. I want users to authenticate centrally through an LDAP server, for all of those titles. I want the LDAP server to run on localhost, so no IPTables entries are added. I don't want it to be seen by the outside world. I'm doing this for a small project that me and three other people will be working on, and I want to adhere to industry standards/best practices for an agile development environment. I will not be setting up any kind of domain/directory, at least for now -> but I WOULD like to be able to expand into that area in the future, if necessary. We will all be working from our personal machines, and the apps that we will be using are web-based, so we have no need for a domain/directory right now. Users won't be connecting to a domain when they log into their workstations, we need no 'centralized user storage', or anything like that.
So here's my question(s).
1) If I set up my environment as described above, will my source code and employee credentials be secure if I have SSL set up on each virtual host per software title? I would use SSHA1 as my encryption scheme in the LDAP database, and store passwords there. Is this a feasible and effective setup scenario, since all of our collaboration tools are web-based?
2) Should I use Kerberos? First, let me ask a sub-question. I hear that kerberos doesn't submit your password over the network. But I also hear that if you use kerberos, it gets public (but internal) user data from LDAP (if you configure it like that). Where the HELL does the password go, if Kerberos doesn't store it, nor does LDAP? I'm super confused about how Kerberos works, and I've read dozens of articles about it, and I've even seen diagrams. There's something fundamental about it that I'm missing. I know Kerberos may be "above and beyond" for what I need, if I don't have kerb_nss and pam_nss set up, since I don't need it for a directory solution. However, if I am planning on expanding my web-based collaboration environment, to a domain-based (directory based?) environment, should I use Kerberos authentication now, so it will be easy to upgrade in the future?
Also, if I did that, would it be plausible to have LDAP and Kerberos sitting on a second server, which wasn't available to the outside world (on the subnet as my webserver, which IS available for access to the outside world) for security purposes?
What's the fundamental difference between SSL and Kerberos? I need this explained to me in "human" terms. Not tutorial terms. Can any of you grasp what I am trying to figure out? Optimally I'd just like to use LDAP with SSHA1 for now, as it would be easier to setup - far less convoluted. I'm conflicted though, because I've read dozens of articles saying that LDAP shouldn't be used without Kerberos because of "security". Blah!
Thanks, and nice to meet you all. I'm taking my knowledge in a new, open-source direction. So you will definitely be seeing more of me around.
EDIT: Whichever way I decide to go, is there a way to configure a mail server to use LDAP/Krb credentials? Say I had https://webmail.mydomain.com
, which ran a squirrelmail client. Would it automatically create an account using someone's LDAP credentials, if they logged in using them?
Also, I'm confused about the hostname on my squeeze installation. Right now, it's node.mydomain.com. However, how is that good for identifying my machine? Doesn't that just correspond to a virtual host at mydomain.com?
How do I configure my box, so that individual account directories can be accessed by going to http://node.mydomain.com/~accname?