Author Archives: toby
lcfg-x509 and letsencrypt
Automated acquisition of X509 certificates is an important part of our infrastructure. We obtain certificates of two different types, both provided through services offered by the University: Certificates provided via JISC, which are signed by a CA trust chain whose … Continue reading
The sssd component and sub-classing
When implementing sssd on SL7 we had to decide how to manage the configuration file (/etc/sssd/sssd.conf) used by sssd. Starting and stopping of the daemon itself is done by systemd. We considered a custom component, but sssd.conf uses an INI-file … Continue reading
openldap client and sssd
For the port of LCFG to SL7, we have been thinking about our LDAP client provision. Historically we have run a full slapd server on all clients, replicating hourly from the master. This was largely for reasons of stability and … Continue reading
Changes to kdcregister
In Informatics we have, for years, used the kdcregister program to obtain keytabs for host-based kerberos principals from the KDC. An important part of this usage is to obtain keytabs when a machine is being installed. This has historically worked … Continue reading
Looking at kerberos authentication in iOS7
Our recent survey into areas where we could improve mobile support for our services indicated “authentication” as such an area, specifically “allowing mobile users to use authentication mechanisms such as kerberos to access secure School services”. I investigated how we … Continue reading
openldap proxycaching project update
In December last year, I talked a bit about the issues affecting the OpenLDAP proxycaching project. This posting updates the current situation. Testing and Stability As a result of problems with slapd crashing, we turned on debugging in the LCFG … Continue reading
Serving AFS space using Apache and mod_waklog
As part of the Informatics move to using AFS, Roger and I have been investigating how to serve AFS files using Apache. The primary technical consideration is that apache needs to be able to authenticate against our KDC, needs to … Continue reading
proxycaching project issues
These are the current main issues in the project for implementing a proxycaching OpenLDAP solution on our clients. The current focus is on increased testing, debugging crashes and contemplating 2.3 vs 2.4. Testing and stability We’re currently running proxycaching clients … Continue reading
slapo-pcache and attribute lists
It’s worth noting this down as I don’t think it’s documented by openldap and every now and then it confuses me. It’s easiest to illustrate with an example… proxyattrset 0 uid gidNumber proxyattrset 1 memberUid gidNumber proxytemplate (&(objectClass=)(uid=)) 0 600 … Continue reading
Cosign/Apache interaction
For too long now, Neil, Roger and I have occasionally looked at the way cosign behaves (or doesn’t) with apache, only to end up looking at the same thing a few months later. I’ll attempt here to note down specifically … Continue reading