[ale] Single Sign-on and Linux

Clint Ricker darjo at arches.uga.edu
Tue Jun 19 14:40:53 EDT 2001


What do you feel is weak/immature about the Linux LDAP solutions?  I've
setup an OpenLDAP authentication system on a previous job and was very
impressed with how it handled as well as the possibilities of what it
could do.  This only involved 30 client machines, but it handled
incredibly well, and we had a syncronized login for the Windows and Linux
machines in the office.  In addition (although we didn't go too far down
this path), we kept basic directory stuff on every employee and then just
had simple scripts to update the company web page, etc everytime someone
changed email addresses, etc.  

The system as a whole seemed very flexible and expandable...we just had
one master server and a slave server for backup, but the concept allows
for a lot of redundancy and is pretty fault tolerant...You can have
unlimited master and slaves and if one goes out then the client just goes
on to the next.  After I actually deployed it and fixed a couple of
gotcha's it has been running without a hitch for well over a year...

If you are really, really paranoid then you could just write the LDAP info
back to /etc/shadow;/etc/passwd on each machine and still be able to login
in case of a network outage.  The OpenLDAP distribution also can be linked
against libssl to encrypt all the transmissions.

I would recommend OpenLDAP as the solution...RedHat (7.x) ships with the
client stuff ready to go, Samba has builtin LDAP support for doing PDC
authentication, most mail clients have LDAP support for address book
functions, and it will in general just be a lot more flexible than NDS or
NIS.  It is also fairly easy to migrate to because (if you look around
enough) you can find scripts for migrating from just about any existing
authentication structure.  It does take a bit of investment on time to
learn the system, but I think that is the case of any of them and it was
for me a lot easier to learn than NIS and is definately a lot more
intuitive (nistbladm anyone?)...It is fairly simple and logical once you
know what you are doing, but if you've never done a directory service
before then there are a lot of little things to learn that just takes some
time.  Hope this helps!

Clint Ricker 
cricker at negia.net 
System Administrator 
NorthEast Georgia Internet Access

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list