On Wed, 2007-05-23 at 11:12 -0600, Kenneth Burgener wrote: > Maybe someone could point me in the right direction. I have several > Linux servers, and maintaining users and passwords individually across > all of them is getting to be painful. So I am hoping to find a "Linux > password server" option that I can manage all users and passwords from. > Google didn't appear to be much help, and kept pointing me to using > Samba (http://www.google.com/search?hl=en&q=linux+password+server). I > have heard there are several security issues with the Windows > authentication, and it seems overkill to use a Windows based > authentication scheme in a pure Linux environment. Is there a simple, > secure and lightweight Linux way of doing this (and by lightweight I > mean staying away from LDAP overkill as well).
LDAP stands for light-weight directory-access protocol. :) Actually, LDAP really is your *only* option, sorry (or just bite the bullet and install Win 2003 Server and Active Directory :). NIS probably won't be quite what you need. Bite the bullet and learn it; looks good on the resume too. If you combine it with Kerberos, then your unix machines can have secure logins (via kerberos) and common passwd stuff via LDAP. OpenLDAP, well, sucks to be honest. The developers are egotistical and somewhat arrogant (how dare you run OpenLDAP without being a Berkeley DB expert!). But it works. Another good choice is the Fedora Directory Server. For windows clients, life is a bit rough. Currently Samba (well, windows, actually) cannot use MIT kerberos to do domain authentication. There is a patched Hemdel kerberos server that can handle windows clients through samba. But anyway, Samba 4 will address this, and will work well with existing LDAP servers, like OpenLDAP, or you can use it's built-in LDAP server, which may just be what you're looking for. Samba 4 is almost a complete Active Directory replacement. I'm excited to try it out later this year. If you want to do Windows logins through a Linux LDAP server, you can use Samba domain logins, storing samba hashes in the LDAP database. Or you can use pgina and do direct LDAP-authentication for windows users. Pgina is a bit hackish, though--reminds me of the old novell logins (are they still crappy?) where it authenticates you, then has do a matching local login. Apple's OpenDirectory is a nice integration of OpenLDAP, Samba, Kerberos, and SASL, that actually works really well in, say, a small business setting. It's come a long ways, but I'm still not sure if anything from Apple is enterprise-ready (I've been running OS X server for 5 years... interesting experiences). I joked previously about Win2k3 server, but in seriousness, Microsoft's product (complete, integrated LDAP, NetBIOS, Kerberos) is something to be reckoned with. If we are to compete in the central password and account integration area, Linux really has to get a better directory system. Samba 4 just might provide the impetus to get a nice, fully integrated system available. > > Any suggestions? > > If it helps, all of the servers are running Fedora Core 5 (64bit). You may want to convert the servers to RHEL5 or CentOS5. Going from FC5 is trivial and can even be done without taking anything down or off-line. FC5 will be without updates very soon here. Now that CentOS and RHEL are quite mature and usable, I cannot recommend FC (or the upcoming Fedora) for any server duty, because of their very short lifespans. > > Thanks, > Kenneth > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
