Slashdot Mirror
User Account Management?
Jeremy Welling asks: "I work in a corporate data center with all the major Unices present. Currently we are using a third party product to manage user logins and authentication. In our goals for 2002, we want to move off that product, and the current plan is to go to NIS. Due to the inherent security holes in NIS, I am investigating using LDAP. We would also like to tie this into the NT domain logins. My question is, how difficult is this to do, what LDAP server software would be best, and what OS platform should we look at?"
I think Novell's eDirectory is a possible solution. You can run eDirectory on NetWare® 5.x or above, Windows 2000, Windows NT, Solaris, Linux, or Tru64. There are other Novell products (NDS-AS, DirXML, Zen for Desktops, Novell Account Management, SecureLogin) that extend eDirectory's reach even further.
There is a PAM module available for Linux that lets you log in using NDS (eDirectory) credentials. Other *nix clients should be handled the same. For an NT client you would either need to use Zen for Desktop's Dynamic Local User or you would need to use Novell Account Management. Account Management on NT will redirect the domain into NDS. On 2000, it will synchronize with Active Directory.
The other products I mentioned can take you in other directions. DirXML is a meta-directory synchronization tool. Available conduits include Active Directory, Exchange, LDAP, GroupWise, Lotus Notes, NT Domain, JDBC, Peoplesoft, SAP HR, and Delimited Text.
NDS Authentication Services (NDS-AS) extends NDS (eDirectory) authentication redirection to other platforms, including AIX, FreeBSD, HP-UX, Linux, OS/390, Solaris, and Windows. Note that some of NDS-AS duplicates functionality found in eDirectory or Account Management.
SecureLogin is a single sign-on technology, which may be another way to solve your problem.
To give you a bottom line answer, even if you want to ignore alternate solutions and go with a straight LDAP directory, use eDirectory. It doesn't matter which platform you run it from, Novell has demonstrated billion-user trees on several host OSes.
The Crystal Wind is the Storm, and the Storm is Data, and the Data is Life
I'm an LDAP advocate. It is exactly the right solution for a lot of problems. It is extremely powerful and flexible, and the more I've used it the more uses I've found for it. Once you've experienced the power of a fast and reliable central repository for a spectrum of IT information you never want to go back.
:-)
But. But.
LDAP, to be really useful, must be a way of life. You must put it in the center of your IT universe and defer always to it. It becomes the final "owner" for all your information. I found this invaluable, as suddenly the nightmares of maintaining a thousand different instances of the same or similar data just vanish. People get really excited once they realize all that LDAP can do for them. It's so flexible and extensible that you can put almost anything in it.
But this power comes at a pretty high up front cost in time and effort. If all you really care about is user auth it's probably not worth it. When your world revolves around LDAP, the hassles involved with getting PAM working on all your flavors of Unix and all that stuff become minor. Yes, you can get your NT domain domain to talk authenticate through it. Yes, you can get all your web servers to authenticate through it. It's not always easy, though. Often it's quite hard.
But if you commit to it, and follow through, the dream of one password everywhere is just one of the many rewards that you will reap.
As far as implementations, I've used Netscape/iPlanet and I've played with OpenLDAP. I used to work at Netscape so I'm biased, but I'd say spring for the iPlanet stuff if you can afford it. I found the OpenLDAP ACLs unintuitive and I heard reports that replication is unreliable.
A final caveat. If you do choose LDAP, and you choose to make it a central part of your IT infrastructure, make this your mantra: "Read often, write seldom". LDAP is *NOT* a database. Let me repeat. LDAP is *NOT A DATABASE*. When people realize everything you can put into LDAP the first thing they want to do is try to make believe it's Oracle. Try to use it for write intensive applications and the only person more miserable than your users will be you.
Good Luck!