> Plus, AD has its own headaches ;)
While people are chiming in about their authentication systems, I thought I'd ask about authentication systems that don't require MS support -- our servers are 100% Linux, and clients access only via web, sshfs, or ssh (possibly from any platform, in practice mostly OS X or Windows). I have virtually no background in this, but have a pressing need to unify authentication systems for users who currently access our systems via web and shell through a horrible mixture of .htaccess basic auth (with htpasswd files), custom-CMS user databases, ssh keys, X.509 keys, and NIS username/password. We have several web servers running on several hosts on different networks in different buildings. Users need to have one identity, and to administer the system we need to keep passwords, public ssh keys, and public X.509 keys all in one place. Authorization policies we'll probably still have to struggle with, but at least having a single system with web-based access for user-driven account management (ideally including account request), and a single underlying system holding all the user account data would obviously get rid of a lot of the current confusion. OpenLDAP + 389 DS + WebMin + UserMin seem like they could do this, and that is the path I've started down. Most CMS systems (and Django, the main one we're using) will play nicely with LDAP, as will Apache httpd. ssh login will also be manageable via this system (of course). I'd like to be able to script ~/.ssh/authorized_keys file updates via web-based user-driven public-key additions (many accounts are shared for various good reasons), and similarly for X.509-based public key systems. Any comments greatly appreciated. If/when we get this sorted out, it should form a nice collaborative science environment that BBLISA may be interested in hearing about. Right now it is one part string, one part sealing wax, and one part vaporware. Ian
<<attachment: ijstokes.vcf>>
_______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
