SSO solution and centralized user mgmt for about 10-30 Ubuntu machines?

Question

I'm looking for a clean way to centralize user management. The setup:

• About 10-30 linux machines (Ubuntu 10.04 LTS server)
• Maybe 10-30 users for now.

The requirements (hopes and expectations):

• A single place for the administrator to manage user accounts, passwords and the list of machines each user has access to. (And probably groups.) Doesn't have to be fancy.

• Single sign-on for SSH: the user should be able to login from machine A to machine B without re-entering his/her password.

A Quick Google searches give me pointers to OpenLDAP and Kerberos, but I'm not sure where to start and what problem will each solution actually solve. Which way to go? I'd love to find a clear tutorial that focuses on this subject. (Or: am I asking "a wrong question"?)

Answer 1

Google has led you down the right track. Ideally you want both LDAP for the central user management and Kerberos for it's added security and SSO.

LDAP alone will get you centralized user management but users will still have to re-authenticate with each service they are connecting too. That's where Kerberos comes in which issues the client a ticket which grants the user access to other services once they've been authenticated.

For Kerberos you'll need a stable synchronized time source. So I would start by setting up NTP, DHCP, and DNS properly. Then configure your client workstations to get their NTP from DHCP. Once you know you have a stable time source you can then setup LDAP and Kerberos servers to provide the necessary directory services to pull it together.

Answer 2

I've found the Spinlock guides excellent for this; I've used them to set up an SSO environment with ssh ticket forwarding for a development office of about 30 developers. There are a lot of different components to this and it's somewhat of a bear to manage - you'll want a good LDAP client like Apache's Directory Studio for user maintenance.

If there's an Active Directory somewhere in your enterprise, Likewise (Google for Likewise Open, serverfault won't let me post more than one link) now has an open source version of its SSO solution that might be worth looking at. It also supports ssh ticket forwarding.