Author Archives: toby

lcfg-x509 and letsencrypt

Automated acquisition of X509 certificates is an important part of our infrastructure. We obtain certificates of two different types, both provided through services offered by the University: Certificates provided via JISC, which are signed by a CA trust chain whose … Continue reading

Posted in Uncategorized | Comments Off on lcfg-x509 and letsencrypt

The sssd component and sub-classing

When implementing sssd on SL7 we had to decide how to manage the configuration file (/etc/sssd/sssd.conf) used by sssd. Starting and stopping of the daemon itself is done by systemd. We considered a custom component, but sssd.conf uses an INI-file … Continue reading

Posted in LCFG | Comments Off on The sssd component and sub-classing

openldap client and sssd

For the port of LCFG to SL7, we have been thinking about our LDAP client provision. Historically we have run a full slapd server on all clients, replicating hourly from the master. This was largely for reasons of stability and … Continue reading

Posted in Uncategorized | Comments Off on openldap client and sssd

Changes to kdcregister

In Informatics we have, for years, used the kdcregister program to obtain keytabs for host-based kerberos principals from the KDC. An important part of this usage is to obtain keytabs when a machine is being installed. This has historically worked … Continue reading

Posted in Uncategorized | Tagged , , , | Comments Off on Changes to kdcregister

Looking at kerberos authentication in iOS7

Our recent survey into areas where we could improve mobile support for our services indicated “authentication” as such an area, specifically “allowing mobile users to use authentication mechanisms such as kerberos to access secure School services”. I investigated how we … Continue reading

Posted in Kerberos | Comments Off on Looking at kerberos authentication in iOS7

openldap proxycaching project update

In December last year, I talked a bit about the issues affecting the OpenLDAP proxycaching project. This posting updates the current situation. Testing and Stability As a result of problems with slapd crashing, we turned on debugging in the LCFG … Continue reading

Posted in LDAP | Comments Off on openldap proxycaching project update

Serving AFS space using Apache and mod_waklog

As part of the Informatics move to using AFS, Roger and I have been investigating how to serve AFS files using Apache. The primary technical consideration is that apache needs to be able to authenticate against our KDC, needs to … Continue reading

Posted in AFS, Apache, Cosign | Comments Off on Serving AFS space using Apache and mod_waklog

proxycaching project issues

These are the current main issues in the project for implementing a proxycaching OpenLDAP solution on our clients. The current focus is on increased testing, debugging crashes and contemplating 2.3 vs 2.4. Testing and stability We’re currently running proxycaching clients … Continue reading

Posted in LDAP | Comments Off on proxycaching project issues

slapo-pcache and attribute lists

It’s worth noting this down as I don’t think it’s documented by openldap and every now and then it confuses me. It’s easiest to illustrate with an example… proxyattrset 0 uid gidNumber proxyattrset 1 memberUid gidNumber proxytemplate (&(objectClass=)(uid=)) 0 600 … Continue reading

Posted in LDAP | Comments Off on slapo-pcache and attribute lists

Cosign/Apache interaction

For too long now, Neil, Roger and I have occasionally looked at the way cosign behaves (or doesn’t) with apache, only to end up looking at the same thing a few months later. I’ll attempt here to note down specifically … Continue reading

Posted in Apache, Cosign | Comments Off on Cosign/Apache interaction