On 7/11/2012 7:31 AM, Jerry Feldman wrote:
I'm leaning toward using LDAP. LDAP will be at a corporate level (not IBM but Algorithmics). But, I don't have that many servers so I can replicate my changes to each of the servers . Back on testdrive we used PAM and it worked well except for one Debian box.
You don't use LDAP to authenticate because it isn't an authentication mechanism. LDAP is a directory service. The gist is to attach a token to the directory information for an account, then configure the authentication system to test for the presence of that token.
The simplest way to manage these tokens for groups of people is with groups. LDAP groups work the same as groups in the /etc/groups file or groups in the NIS groups map. Then have a PAM module test for group membership and permit/reject as appropriate.
I use this mechanism along with my Kerberos realm with Scientific Linux and Debian nodes. It works brilliantly. It's a one time change on each node that requires a specific group membership for access so I don't have to change all the nodes when I change a user's status.
-- Rich P. _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
