Slashdot Mirror


Cross-platform Password Management?

Martin Blank writes "I work in a NOC, and one of the debates you will find in any strongly-mixed environment like this is preferred OS. We have people who prefer Windows, some who like Linux, and some who do almost everything on Solaris boxes. However, this also means that much software is not available over all three. With all of the servers, routers, and various other protected systems we have, the sheer quantity of passwords is mind-bogglingly difficult to keep track of in a secure fashion. Are there any packages out there right now running on at least Windows and Linux, and preferably also Solaris, that can access a central password file?"

2 of 318 comments (clear)

  1. Re:LDAP by Anthony+Boyd · · Score: 5, Interesting
    LDAP is very scalable with an extensible schema, and can provide support for more then usernames and passwords.

    I think Pat Jensen has really got some good advice here. At SST, we're slowing moving to a "universal login" system for our Web sites. There are about 5 internal & external sites, each requiring different usernames & passwords. Our solution is to set up a MySQL database with login data and nothing more, and then each Web site will check for a cookie (MD5 hash with IP addy, so the cookie is difficult to spoof). Since all our sites operate under sst.com, they should all be able to view the cookie and verify it.

    However, and as an inevitable side-effect, people are now asking why we can't use that same system for NT logins and Outlook and yadda yadda. If we had chosen LDAP, this would have solved the issue, as LDAP can be plugged into a bit more than MySQL can. We will still do this, it just means we have to revise, revise, revise. I have yet to look into how well PHP and ASP support LDAP, and just how much LDAP can do, but it appears to be much more in line with our needs. Can anyone speak definitively about what PHP and ASP and NT and Outlook can do with LDAP?

  2. good luck by Chundra · · Score: 5, Interesting

    I see many folks saying to stick with just kerberos, or just LDAP or even Active Directory. I work at a largish university and had to come up with a roll your own solution a while back mainly due to political reasons (the NT group would only use Active Directory, the UNIX guys wanted Kerberos, the dialup used Cisco Secure, other systems stored digested passwords in an oracle table, some things required LDAP, etc., etc.) What we decided on, and what I wound up writing was a bunch of perl code to synchronize ALL of these different schemes. We have upwards of 50k users, and we've been using this for 3 years now with no problems.

    Then again, this is a university where we basically provide services that faculty request and we don't have the luxury of not using software x because it uses authentication scheme y and we only support authentication scheme z. If you have a situation like this, it isn't that difficult to come up with the glue you need.