l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
December 2: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2004 Apr 28 16:18

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Easiest way to integrate the login of large numbers of servers...
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Easiest way to integrate the login of large numbers of servers...



Jonathan said:
> Hey All!
>
> A debate has broken out here at my company between several of the
> engineers,
> and I'm writing to see what you guys think.
>
> Let me outline the problem... Our operation runs accross 11 redhat 9
> servers
> right now, and 3 more are coming.  We're in 4 datacenters (though we only
> have one server for 2 of them for DNS and monitoring, the others are Mae
> West in SF and SureWest for our DRP), and we're starting to hit the limit
> on
> the number of passwords that we can remember.
>
> So, one school here says set up a secure Open LDAP directory of some sort,
> and use that as a replacement for /etc/password.  Shockingly, the guy who
> is
> espousing this position is from Netscape originally. Hehe.
>
> The other approach (which I am completely unfamiliar with I must admit) is
> kerberos.  I'm not sure I *want* a three headed dog in the company. :)
>
> So, what's the easiest, most secure way to tie in a login server to our
> systems in the eyes of some of the more experienced sysadmins out there?
> I've read up on both of these approaches, and they both seem to have their
> advantages and disadvantages.  There's nothing in my O'Reilly bookshelf
> outlining much about comparing this stuff.  Any advice?

kerberos is rather well tested and has a better security model (when
properly implemented) than LDAP based central authentication, but I think
you will find more support for LDAP-based authentication shemes for more
software.

It seems the trends of the market suggest that LDAP auth is going to
become a defacto standard. PeopleSoft allows for it, many web-based
services allow for it, apache has modules to allow for it as the
authentication method, etc.

We use LDAPS at our campus and plan to have LDAPS eventually become our
central authenticaton system. We are working with many legacy aps and
services which do not support authentication schemes other than those
which use plain-text but support normal ldap, which permits us to use
stunnel to better secure their auth to a group of ldap servers.

ATM, I would probably go with LDAP based on market trends and an
expectation for future development in the private sector.

There is talk that MS will support LDAP auth (through relay) with their
servers and same with Apple in OS X. If this pans out, it may be possible
to actually have a single authentication center for all services, OS, and
applications.

Learning curve for LDAP is steep when you also include auth. Attempts to
make LDAP auth not only highly available and scalable are tricky, but
necessary if you wish to go this route.

I suggest using OpenLDAP if you want an LDAP server.

HTH,
-ME

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.