[ale] Single Sign-on and Linux

Stephen J. Pellicer spellicer at 8thlayer.net
Tue Jun 19 20:05:18 EDT 2001


I like OpenLDAP like the others. It's pretty solid and gaining features as
it matures. Very flexible. RedHat is building more and more packages to be
LDAP ready on the backend. Kerberos is a potential tie in if you are looking
for something single sign on'ish as opposed to just centrally managed.
Again, Redhat is a good distro that is building most of their packages to be
Kerberosized. I haven't personally done much with Kerberos in the
distribution.

Stephen Pellicer

-----Original Message-----
From: owner-ale at ale.org [mailto:owner-ale at ale.org]On Behalf Of Derek
To: ale at ale.org
Zeanah
Sent: Tuesday, June 19, 2001 1:48 PM
To: ale at ale.org
Subject: [ale] Single Sign-on and Linux


(First post from a new list subscriber.)

I'm working as a consultant down in Savannah, GA -- some Novell, a lot of
Microsoft, and (increasingly) *nix.  I'm the resident Unix guy (translated:
I'm the guy who can diagnose and fix failures, even if I'm far from Guru
status), and I've been pushing my company to offer more open source
solutions where they're appropriate (most of our *nix clients are running
SCO 5.0.x, but it's hard to justify the cost over FreeBSD or Linux).

Well, Windows XP is getting enough complaints (local hospital just told by
Microsoft that their software licensing costs will double) that we've
decided to move more aggressively in this direction.  The problem I'm seeing
right now is providing centralized management -- the NT Domain model is far
from perfect, but the idea of keeping one system set aside to deal with
access permissions is a good one.  A distributed directory structure would
be nicer, but it's not *that* important as most of my clients are small- to
medium-sized businesses.

So, how can this be done (securely) on Linux?  My understanding is that you
can rig Redhat (and others?) via PAM to authenticate against an LDAP server,
but the LDAP offerings seem to be weak (with the obvious exception of NDS).

What solution do y'all use for single-sign-on?  Is it worth the effort to
try and master NDS and tell clients to organize the infrastructure around
it, and if so is it possible for all of the services to authenticate against
it (even indirectly -- maybe use a script to recreate a passwd file every 20
minutes)?

Don't get me wrong -- I'm sold on NDS as a sturdy, secure, and scalable
solution (and at $2 per seat who's going to complain?), but I'd like to have
a better understanding of the available options and the trade-offs that need
to be considered.  So far all I can find is OpenLDAP (which seems rather
immature) and NIS (which has a number of security issues).

Thanks.


--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
body.

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list