[Novalug] CI/CD my new frenemy

Derek LaHousse dlahouss@mtu.edu
Mon Apr 6 11:56:15 EDT 2015


AD literally IS LDAP and Kerberos.

Logging in to your workstation involves both Authentication (you have
the right password) and Authorization (you're allowed to shell).
Using your SSH keys requires authenticating (you have the right SSH
key) and authorizing (you're allowed to shell) on the other systems
too.

Authenticating to Kerberos gets you a ticket, and if you're using that
for authenticating to your workstation, you must have configured your
workstation to accept that ticket.  I continue to argue that setting
up the workstation on the domain is harder than dropping an identical
sssd.conf on all the systems to allow authnz against LDAP.

As for John's note, SSH "can use" an SSH key for allowing git to
authenticate, but it may also need to do keyboard-interactive and that
against LDAP through PAM (pam_sss please, pam_ldap and pam_ldapd are
both broken in interesting ways).

On Sun, Apr 5, 2015 at 7:04 PM, James Ewing Cottrell III
<JECottrell3@comcast.net> wrote:
> On 4/5/2015 3:29 PM, Derek LaHousse wrote:
>>
>> And where do you keep your Kerberos realm details, and other public
>> Kerberos information?  Yeah, LDAP.
>
>
> No, you keep it either in the Kerberos Server, or in Active Directory.
>
> Kerberos has Nothing To Do with LDAP!
>
>> Er, I feel like keeping keytabs on a bunch of machines is "more"
>> configuration than having one sssd.conf which all machines can use.
>
>
> You are confusing Authentication with Authorization, and with Identity
> Management. I suppose I am Splitting Hairs, because people often confuse the
> two, or they want both and tend to speak of them together.
>
> I was speaking of Authentication only, and only Initial Authentication. Once
> you are logged into your Workstation, you can use SSH Keys to get everywhere
> else. True, if you want to Kerberize the Servers too, you must have them
> Join the Domain; hence the keytabs you mention.
>
> But you pretty much only have one sssd.conf anyway, which you can simply
> rsync around, possibly your favorite CM system.
>
> Or you don't, and just rsync those files around too.
>
> JIM
>
> P.S. In the original item mentioned below, your 'authentication' IS your SSH
> key, PAM need not even be involved.
>
>
>> On Sat, Apr 4, 2015 at 1:28 AM, James Ewing Cottrell III via Novalug
>> <novalug@firemountain.net> wrote:
>>>
>>> Actually, I'd rather Authenticate to Kerberos.
>>>
>>> Much less Configuration.
>>>
>>> JIM
>>>
>>>
>>> On 3/30/2015 4:38 PM, John Franklin via Novalug wrote:
>>>>
>>>>
>>>> How are you using Git now?  If you're using ssh, then you want PAM to
>>>> authenticate to LDAP.  If you're using a http:// for transport, Apache
>>>> can
>>>> do the LDAP authentication.  I can't see how Git would *directly* use
>>>> LDAP.
>>>>
>>>> jf
>>>>
>>>> On Mar 30, 2015, at 4:29 PM, greg pryzby via Novalug
>>>> <novalug@firemountain.net> wrote:
>>>>
>>>>> Thank goodness for virt-manager and snapshots.
>>>>>
>>>>> I have a basic ldap, gerrit and jenkins installed and talking. Now to
>>>>> get git to use ldap. I think I can do it 'easily'. Then workflow from
>>>>> gerrit to jenkins and back....
>>>>>
>>>>> Kinda cool learning all this new stuff.
>>>>>
>>>>> And to think it was cronjobs running "co....; make; make install; make
>>>>> test; email results" back in the day
>>>>>
>>>>> I am afraid I might start coding again.
>>>>>
>>>>>
>>>>> --
>>>>> greg pryzby                              greg at pryzby dot org
>>>>> http://www.linkedin.com/in/gpryzby
>>>>>
>>>>> TWTR: gpryzby
>>>>> WEB:  http://www.MakeRoomForArt.com/
>>>>> BLOG: http://lonetrikerphotography.tumblr.com/ (photos)
>>>>> **********************************************************************
>>>>> The Novalug mailing list is hosted by firemountain.net.
>>>>>
>>>>> To unsubscribe or change delivery options:
>>>>> http://www.firemountain.net/mailman/listinfo/novalug
>>>>
>>>>
>>>>
>>>
>>> **********************************************************************
>>> The Novalug mailing list is hosted by firemountain.net.
>>>
>>> To unsubscribe or change delivery options:
>>> http://www.firemountain.net/mailman/listinfo/novalug
>>
>>
>



More information about the Novalug mailing list