Enterprise-Level Authentication for Linux?

Jon Hill asks: "Authentication is an integral function of any network but the problem of unified authentication on large distributed systems becomes daunting when you look for Linux based solutions. I am the MIS Director for a technical R&D company with 10 locations in several states and have pushed Linux at the server level successfully for several years. As the system has grown the need for a unified authentication scheme has become a necessity. I have looked over NIS, NIS+, LDAP, Kerberos, and others but haven't found anything that will unify even our servers (ie. file/email/FTP). All sites are linked via a static VPN so there is good secure communication available. What suggestions do readers have to solve what I'd have thought was a common problem? Any case studies, product links, code, and other examples will be appreciated." Any Slashdotters who run enterprise-level installations care to comment on how well Linux's authentication works? In your mind, what does Linux need to do to improve it's profile in this regard? Could PAM at least provide a partial answer to this question, considering that it would provide a way for any authentication scheme to link into the system as a whole, without having to force hard-to-maintain code changes in the user-land applications.

The kernel dosent need it.

[AntipodesTroll]

Everyone considering auth inside the corporate structure should already know that the kernel is not the place for any-and-all auth schemes. Sun know this, thats why PAM is part of Solaris, and that seems good enough for the Solaris commercial environments.

This is the whole idea behind PAM. Give the hooks needed to implement your own modules, that is the simplest and best thing *LINUX* can do for auth. Let other groups, like Samba, and those who work on Netware, and other groups who concentrate on interoperability, come up with modules for PAM. People who are interested should read the stuff on winbindd in Samba 2.2.2, its good stuff. And that said, nowdays the auth options for Linux-based OS's are good and getting better.

ObSlashdot: "In your mind, what does Linux need to do to improve it's profile in this regard?" Well, why do Slashdot editors wish to insult those posters that have a clue, while patronising everyone else? If you wonder why people troll, your answer is right there. (Watch me get slapped for this! :)

What kind of research did this guy do, anyway?

[disappear]

You can do this with NIS, Kerberos, or LDAP on Linux, using PAM modules. In fact, out of the box, Red Hat can support any of those three. New versions of SAMBA have a beta-quality utility to do the same from a Windows domain controller, IIRC.

Now, it's entirely possible that this guy has some needs that weren't articulated in his message --- but if so, he should have articulated them in the message, as the basic case is trivial on Linux. AFAIK it should be no problem to authenticate for any of the afforementioned tasks.

That said, PAM is a major PITA to configure: the files are rather opaque if you haven't used them before. (Need a consultant? I'm available: www.cluestickconsulting.com)