[vox-tech] Easiest way to integrate the login of large numbers of servers...

ME vox-tech@lists.lugod.org
Wed, 28 Apr 2004 14:47:09 -0700 (PDT) 

Jonathan said:
> Hey All!
>
> A debate has broken out here at my company between several of the
> engineers,
> and I'm writing to see what you guys think.
>
> Let me outline the problem... Our operation runs accross 11 redhat 9
> servers
> right now, and 3 more are coming.  We're in 4 datacenters (though we only
> have one server for 2 of them for DNS and monitoring, the others are Mae
> West in SF and SureWest for our DRP), and we're starting to hit the limit
> on
> the number of passwords that we can remember.
>
> So, one school here says set up a secure Open LDAP directory of some sort,
> and use that as a replacement for /etc/password.  Shockingly, the guy who
> is
> espousing this position is from Netscape originally. Hehe.
>
> The other approach (which I am completely unfamiliar with I must admit) is
> kerberos.  I'm not sure I *want* a three headed dog in the company. :)
>
> So, what's the easiest, most secure way to tie in a login server to our
> systems in the eyes of some of the more experienced sysadmins out there?
> I've read up on both of these approaches, and they both seem to have their
> advantages and disadvantages.  There's nothing in my O'Reilly bookshelf
> outlining much about comparing this stuff.  Any advice?

kerberos is rather well tested and has a better security model (when
properly implemented) than LDAP based central authentication, but I think
you will find more support for LDAP-based authentication shemes for more
software.

It seems the trends of the market suggest that LDAP auth is going to
become a defacto standard. PeopleSoft allows for it, many web-based
services allow for it, apache has modules to allow for it as the
authentication method, etc.

We use LDAPS at our campus and plan to have LDAPS eventually become our
central authenticaton system. We are working with many legacy aps and
services which do not support authentication schemes other than those
which use plain-text but support normal ldap, which permits us to use
stunnel to better secure their auth to a group of ldap servers.

ATM, I would probably go with LDAP based on market trends and an
expectation for future development in the private sector.

There is talk that MS will support LDAP auth (through relay) with their
servers and same with Apple in OS X. If this pans out, it may be possible
to actually have a single authentication center for all services, OS, and
applications.

Learning curve for LDAP is steep when you also include auth. Attempts to
make LDAP auth not only highly available and scalable are tricky, but
necessary if you wish to go this route.

I suggest using OpenLDAP if you want an LDAP server.

HTH,
-ME