Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Thread Tools Display Modes
Old 21st July 2011, 20:31
sam-the-man sam-the-man is offline
Junior Member
Join Date: Jul 2011
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Help me understand: Kerberos, LDAP, Active Directory, etc.

Hello everyone,

First and foremost, a little bit about my background. I am a 22 year old software engineer. I work at a large company during the summer, and I am finishing up my degree during the "school year". I have a C/C++ background, and wrote most of that respective code on Windows machines, in Visual Studio.

At my school, however, we must use Unix (Debian) to submit all of our projects. That said, they must compile and run properly with gcc/g++ before we submit them. As a result, I started tailoring all of my projects to always run in Unix, as I became more familiar with Unix programming standards. I now use eclipse with gcc/g++ to write all my code for school.

So recently, I've been further building upon my linux knowledge. I have a dedicated server, with Debian 6 Squeeze installed. I'm looking to set up an Archiva repository, 4 or 5 Atlassian products, a subversion repository, and an e-mail server.

Here's what I want. I want users to authenticate centrally through an LDAP server, for all of those titles. I want the LDAP server to run on localhost, so no IPTables entries are added. I don't want it to be seen by the outside world. I'm doing this for a small project that me and three other people will be working on, and I want to adhere to industry standards/best practices for an agile development environment. I will not be setting up any kind of domain/directory, at least for now -> but I WOULD like to be able to expand into that area in the future, if necessary. We will all be working from our personal machines, and the apps that we will be using are web-based, so we have no need for a domain/directory right now. Users won't be connecting to a domain when they log into their workstations, we need no 'centralized user storage', or anything like that.

So here's my question(s).

1) If I set up my environment as described above, will my source code and employee credentials be secure if I have SSL set up on each virtual host per software title? I would use SSHA1 as my encryption scheme in the LDAP database, and store passwords there. Is this a feasible and effective setup scenario, since all of our collaboration tools are web-based?

2) Should I use Kerberos? First, let me ask a sub-question. I hear that kerberos doesn't submit your password over the network. But I also hear that if you use kerberos, it gets public (but internal) user data from LDAP (if you configure it like that). Where the HELL does the password go, if Kerberos doesn't store it, nor does LDAP? I'm super confused about how Kerberos works, and I've read dozens of articles about it, and I've even seen diagrams. There's something fundamental about it that I'm missing. I know Kerberos may be "above and beyond" for what I need, if I don't have kerb_nss and pam_nss set up, since I don't need it for a directory solution. However, if I am planning on expanding my web-based collaboration environment, to a domain-based (directory based?) environment, should I use Kerberos authentication now, so it will be easy to upgrade in the future?

Also, if I did that, would it be plausible to have LDAP and Kerberos sitting on a second server, which wasn't available to the outside world (on the subnet as my webserver, which IS available for access to the outside world) for security purposes?

What's the fundamental difference between SSL and Kerberos? I need this explained to me in "human" terms. Not tutorial terms. Can any of you grasp what I am trying to figure out? Optimally I'd just like to use LDAP with SSHA1 for now, as it would be easier to setup - far less convoluted. I'm conflicted though, because I've read dozens of articles saying that LDAP shouldn't be used without Kerberos because of "security". Blah!


Thanks, and nice to meet you all. I'm taking my knowledge in a new, open-source direction. So you will definitely be seeing more of me around.



EDIT: Whichever way I decide to go, is there a way to configure a mail server to use LDAP/Krb credentials? Say I had https://webmail.mydomain.com, which ran a squirrelmail client. Would it automatically create an account using someone's LDAP credentials, if they logged in using them?

Also, I'm confused about the hostname on my squeeze installation. Right now, it's node.mydomain.com. However, how is that good for identifying my machine? Doesn't that just correspond to a virtual host at mydomain.com?

How do I configure my box, so that individual account directories can be accessed by going to http://node.mydomain.com/~accname?
Reply With Quote
Sponsored Links
Old 21st July 2011, 20:35
sam-the-man sam-the-man is offline
Junior Member
Join Date: Jul 2011
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default It yang?

It really ain't a little yang
Reply With Quote


debian, kerberos, ldap

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Webmin upgrade lishaw1968 Installation/Configuration 15 26th August 2010 16:23
Email problem 'Cannot set my user or group id.' (using ISPConfig 3 + OpenSuSE 11.2) urosm Installation/Configuration 5 19th June 2010 23:41
can't help ispconfig to install please help steve51184 Installation/Configuration 17 20th February 2009 11:37
ISPConfig install issues... flyingaggie Installation/Configuration 2 18th July 2008 11:46
Systemimager (rsync) doesn't copy all comedit HOWTO-Related Questions 11 19th January 2007 18:17

All times are GMT +2. The time now is 17:24.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.