The ones we see most commonly are: 1) NIS/NIS+-based (primarily in sites with a Sun background). Works OK, and is familiar territory for most Unix heads.
2) Combination of LDAP and Kerberos 5. Increasingly popular, as Microsoft's AD can be forced to play nice with it. 3) Pure Kerberos 5. Also quite popular in sites with Unix backgrounds. 4) LDAP-only. Usually only in small sites due to LDAP performance issues. #2 is very scalable, and works well technically and politically, but takes considerable planning to do right the first time. #1 has problems with WAN links (takes careful tuning if you intend to use it over transcontinental links), but is trivial to implement. #3 is exceptionally scalable, but not all applications understand K5 very well. #4 suffers from the fact that LDAP is heavily connection oriented and stateful, and is quite a bit more overhead to implement both on client and server (on the order of 10s of packets to complete an authentication vs usually one to five or so packets for NIS or pure K5). See my comments in my earlier note on LDAP replication and architecture if you use any of the LDAP-based options. It depends a lot on what's already in place. If you already have a good NIS/NIS+ infrastructure, no reason to reinvent the wheel; just load the NIS client, point the clients at a convenient NIS server and go with that. If you're starting from scratch, seriously consider the LDAP/Kerberos combination. It saves no end of arguments about management infrastructure with the Windows folks, and you pick up some nice abilities to do batch things to users from the Linux side that are a real PITA with AD. It also scales and performs a lot better than the pure LDAP solution. -- db David Boyes Sine Nomine Associates > -----Original Message----- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] Behalf Of > Eric Sammons > Sent: Wednesday, November 05, 2003 2:55 PM > To: [EMAIL PROTECTED] > Subject: User Administration / Management > > > Going along with a question I posed earlier I wanted to find > what others > in this area (Linux for z/VM) are doing for User / Password > management? I > would like to try to recommend to our folks that we implement > something > that is fairly mainstream. Any and all feedback is appreciated.
