Slashdot Mirror

← Back to Stories (view on slashdot.org)

Enterprise-Level Authentication for Linux?

Posted by Cliff on from the bin-login-username-password dept.

Jon Hill asks: "Authentication is an integral function of any network but the problem of unified authentication on large distributed systems becomes daunting when you look for Linux based solutions. I am the MIS Director for a technical R&D company with 10 locations in several states and have pushed Linux at the server level successfully for several years. As the system has grown the need for a unified authentication scheme has become a necessity. I have looked over NIS, NIS+, LDAP, Kerberos, and others but haven't found anything that will unify even our servers (ie. file/email/FTP). All sites are linked via a static VPN so there is good secure communication available. What suggestions do readers have to solve what I'd have thought was a common problem? Any case studies, product links, code, and other examples will be appreciated." Any Slashdotters who run enterprise-level installations care to comment on how well Linux's authentication works? In your mind, what does Linux need to do to improve it's profile in this regard? Could PAM at least provide a partial answer to this question, considering that it would provide a way for any authentication scheme to link into the system as a whole, without having to force hard-to-maintain code changes in the user-land applications.

4 of 25 comments (clear)

  1. Surely LDAP? by Anonymous Coward · · Score: 1, Informative

    Using LDAP and PAM/SASL you can use the same set of login credentials for Unix, Novell and NT.

    You've also got centralized management and administration, and don't have to limit this to login credentials either - you could store the ip addresses of each host, the configuration of every printer etc...

    1. Re:Surely LDAP? by Anonymous Coward · · Score: 3, Informative

      I should also add, that using LDAP allows you to enforce a whole load of profile restrictions ontop of your Unix login restrictions.

      For instance, you can make some accounts/groups only able to login between certain hours of the day - and this will be true for everything that uses the LDAP authentication - be it Windows client, firewall, unix workstation - whatever.

      Theres a whole bunch of other stuff that you can makes use of too - quota limits across all platforms, the ldap directory also (handily) will serve as an enterprise wide telephone/address book - so you can hook it straight up to your intranet.

      Theres a really good book about all this "Understanding and Deploying LDAP Directory services", published by Macmillan technical publishing. Its a weighty tome, but very informative.

  2. eDirectory (NDS)? by sphealey · · Score: 3, Informative

    Have you looked at Novell's eDirectory?

    sPh

  3. PAM and LDAP. by imagi · · Score: 2, Informative

    I wrote a document on authenticating enterprise systems agains LDAP. May be of some use to you: http://imaginator.com/~simon/ldap/ It's actually pretty easy!