Centralized and Secure Autentication?

← Back to Stories (view on slashdot.org)

Centralized and Secure Autentication?

Posted by Cliff on Friday July 30, 1999 @03:16PM from the when-/etc/passwd-just-isn't-good-enough dept.

signal7 asks: "I run a network of 50+ workstations. Some are UNIX, some are Novell, some are NT, etc. The problem is I recently setup a killer Samba server, but synchronizing user information in a *SECURE* fashion just doesn't seem possible. I'm looking for something that provides the exchange mechanism of say Lerberos, with the centralization of LDAP. Anyone have any suggestions?"

9 comments

Min score:

Reason:

Sort:

ypldapd, pam_ldap @ www.padl.com by Anonymous Coward · 1999-07-30 11:05 · Score: 0

ypldapd?

NIS+ with LDAP integration?
That would probably do it.

www.padl.com

The PAM stuff is free. The NIS stuff is commercial.
1. Re:ypldapd, pam_ldap @ www.padl.com by signal7 · 1999-07-30 19:44 · Score: 1
  
  ahh - but I read most of RFC's on LDAP and the protocol is not secure. Any idiot that has root would be able to query my LDAP server. That's why I wanted something more like a secure challenge/response mechanism like SMB or Kerberos(not Lerberos -- seriously I did NOT misspell that when I submitted it, I'm sure of it).
  Anyway, I do appreciate the suggestion. I will take a look at pam_smb and see if it uses the NT challenge/response mechanism which would be a step in the right direction.
  
  --
  
  --
  --
  I have no sig.
2. Re:ypldapd, pam_ldap @ www.padl.com by cloudmaster · 1999-07-31 04:31 · Score: 1
  
  I will take a look at pam_smb and see if it uses the NT challenge/response mechanism...
  AFAIK, pam_smb doesn't change thepart fo the authentication which occurs over the network - that's cntrolled based on the "encrypted passwords" setting. pam_smb should just allow you to use the system password file instead of a seperate one, which would also be good I guess. :)
  On a related note, I can't get pam to compile under SuSE 6.0/6.1 hybrid, at least not the pam rpm from redhat. Anyone else have any success? I guess I'll try the "real" source instead of redhat's... :)
  --Danny
3. Re:ypldapd, pam_ldap @ www.padl.com by Anonymous Coward · 1999-07-31 10:53 · Score: 0
  
  Your Directory server has no relation to the root user, aside from who owns the actual backend database that the directory is using. This is true for any sort of authentication, some user will be able to read the user/pw database.
  
  You can use a variety of databases i.e. Berkley DB , Oracle, depending on your directory server.
  
  You can apply security throughout the tree, denying anonymous queries (i.e. require authentication first) or just deny all queries except to the entries that a user owns. etc. etc.
  
  LDAP is secure. You can use SSL to wrap it. One product that can do all this (ACLs, ACIs, SSL, different DB backends) is Netscape Directory Server 3.x and 4.x.... 4.1 has a beta for Linux and I know 4.1 just went RTM (release), not sure about the Linux verison though.
  
  Netscape DS also has NT sync (both ways).
  For single signon, I believe the solution would be the use of certs.
ACE Server by drig · 1999-07-30 23:21 · Score: 1

Security Dynamics (the parent company of RSA Data Security Inc) makes a product called ACE server. It provides a centralized login with tokens. Tokens are hardware cards about the size of a credit card but a little thicker. It's based on some older crypto tech, but it still seems secure. They have NT servers and Linux clients, but I'm not sure how far they go with Linux clients (PAM integration? dunno....)

http://www.securitydynamics.com

--
Citizens Against Plate Tectonics
Ganymede by DrZaius · 1999-07-31 04:10 · Score: 1

If you want to go to a directory service (which seems to be the case if you need to syncronize) there is a Java based (java sucks, but I also think there are X clients as well) project called Ganymede (I think, I may be spelling it wrong).

It kind of looks like NT user management and such, but it intergrates such things as Dynamic DNS and DHCP and all of those sort of things. If you are unfamiliar with directory services, they basically bind a whole lot of data togther (like user names, workstations, ip's, dns entries et cetra).

Go look on freshmeat, I have not used it myself, but it looks pretty nice.

--
-- DrZaius - Minister of Sciences and Protector of the Faith
NDS might be a possibility by Shadok8 · 1999-08-04 01:26 · Score: 1

Since you already have some Novell servers, NDS might be a possibility. NDS is currently available for NT and Solaris. Novell has said they will have NDS for Linux out by the end of the year.
Centralization by Squeamish+Ossifrage · 1999-08-04 03:41 · Score: 1

What sort of centralization is that you want that Kerberos doesn't offer?
1. Re:Centralization by signal7 · 1999-08-05 22:03 · Score: 1
  
  kerberos doesn't centralize file sharing(NFS, Samba, etc) and printing. As far as I can tell it only centralizes telnet and ftp.
  
  --
  
  --
  --
  I have no sig.