[ale] Single Sign-on and Linux

[Dan Newcombe]

On Tue, 19 Jun 2001, Derek Zeanah wrote:
> So, how can this be done (securely) on Linux?  My understanding is that you
> can rig Redhat (and others?) via PAM to authenticate against an LDAP server,
> but the LDAP offerings seem to be weak (with the obvious exception of NDS).

You can rig RedHat and others via PAM to authenticate against almost
anything - LDAP, RADIUS, NT, etc...  You can also rig them to authenticate
directly against an LDAP server via the nsswitch setup.

I don't know why you say they are weak offerings.  OpenLDAP is nice.
Perhaps they may not be setup by default with the most robust of schemas,
but that can be adjusted.

 
> What solution do y'all use for single-sign-on?  Is it worth the effort to
> try and master NDS and tell clients to organize the infrastructure around
> it, and if so is it possible for all of the services to authenticate against
> it (even indirectly -- maybe use a script to recreate a passwd file every 20
> minutes)?

Well, we use NT - probably not the answer you're asking for! :)
However, with OpenLDAP and the nameservice switch library, you can have
one central (LDAP) server like you mentioned, with different clients
having their info in different areas under your common base.  You can then
tell their server to point to this central LDAP server and give it the
baseDN for just their part of the server.

You can even many of the files in /etc into the LDAP server for them.
I've not gone overboard with it, but what I've done with it is pretty
nice.

You can also put Samba-TNG on there and let it do NT authentication
against the same LDAP backend, though I should be honest and say that the
Samba-TNG is still rough code.

Overall - fun stuff though.  Add a little PHP in and you're all set :)
 




--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.