Jonathan said: > Hey All! > > A debate has broken out here at my company between several of the > engineers, > and I'm writing to see what you guys think. > > Let me outline the problem... Our operation runs accross 11 redhat 9 > servers > right now, and 3 more are coming. We're in 4 datacenters (though we only > have one server for 2 of them for DNS and monitoring, the others are Mae > West in SF and SureWest for our DRP), and we're starting to hit the limit > on > the number of passwords that we can remember. > > So, one school here says set up a secure Open LDAP directory of some sort, > and use that as a replacement for /etc/password. Shockingly, the guy who > is > espousing this position is from Netscape originally. Hehe. > > The other approach (which I am completely unfamiliar with I must admit) is > kerberos. I'm not sure I *want* a three headed dog in the company. :) > > So, what's the easiest, most secure way to tie in a login server to our > systems in the eyes of some of the more experienced sysadmins out there? > I've read up on both of these approaches, and they both seem to have their > advantages and disadvantages. There's nothing in my O'Reilly bookshelf > outlining much about comparing this stuff. Any advice?
kerberos is rather well tested and has a better security model (when properly implemented) than LDAP based central authentication, but I think you will find more support for LDAP-based authentication shemes for more software. It seems the trends of the market suggest that LDAP auth is going to become a defacto standard. PeopleSoft allows for it, many web-based services allow for it, apache has modules to allow for it as the authentication method, etc. We use LDAPS at our campus and plan to have LDAPS eventually become our central authenticaton system. We are working with many legacy aps and services which do not support authentication schemes other than those which use plain-text but support normal ldap, which permits us to use stunnel to better secure their auth to a group of ldap servers. ATM, I would probably go with LDAP based on market trends and an expectation for future development in the private sector. There is talk that MS will support LDAP auth (through relay) with their servers and same with Apple in OS X. If this pans out, it may be possible to actually have a single authentication center for all services, OS, and applications. Learning curve for LDAP is steep when you also include auth. Attempts to make LDAP auth not only highly available and scalable are tricky, but necessary if you wish to go this route. I suggest using OpenLDAP if you want an LDAP server. HTH, -ME _______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
