15

I have a small but growing network of Linux servers. Ideally I'd like a central place to control User Access, change passwords, etc... I've read a lot about LDAP servers, but I'm still confused about choosing the best authentication method. Is TLS/SSL good enough? Whats the benefits of Kerberos? Whats GSSAPI? Etc... I haven't found a clear-cut guide that explains the pros/cons of these different methods. Thanks for any help.

Chris McBride
  • 151
  • 1
  • 1
  • 3
  • Do't forget NIS. It may be old, but it's still widely used for a reason. – MadHatter Feb 14 '11 at 16:39
  • I think that reason may be appliances and other operating systems that don't fully support LDAP. If you have a 100% Linux shop, then LDAP is the way to go. Solaris has trouble talking to OpenLDAP using OpenSSL for encryption. FreeBSD can't use netgroups over LDAP. You can always set up an NIS gateway for non-authentication data needed by incompatible systems. – Jeff Strunk Feb 15 '11 at 08:29
  • @MadHatter I'm pretty sure that reason NIS is still used is called "Inertia". – Magellan Mar 16 '12 at 21:49

4 Answers4

4

For this problem, FreeIPA is the "best" FOSS solution out there.

Since you are just starting to learn about the scope of your problem, you should do your research before attempting to play with FreeIPA.

Not Now
  • 3,532
  • 17
  • 18
3

TLS encryption is good enough to secure the transmission of passwords from the clients to the server given the following:

  • Your LDAP server's ACLs properly restrict access to password hashes.
  • Your server's private key is never compromised.

TLS encrypted plain authentication is the most simple method of secure authentication to set up. Most systems support this. The only prerequisite your client systems have is getting a copy of your SSL certificate authority's certificate.

Kerberos is mainly useful if you want a single sign on system for your workstations. It would be nice to be able to log in once and have access to web services, IMAP email, and remote shells without entering your password again. Unfortunately, there is a limited selection of clients for kerberized services. Internet Explorer is the only browser. ktelnet is your remote shell.

You may still want to encrypt traffic to your kerberized LDAP server and other services with TLS/SSL to prevent traffic sniffing.

GSSAPI is a standardized protocol for authentication using back ends such as Kerberos.

Jeff Strunk
  • 2,107
  • 1
  • 24
  • 29
2

LDAP works well for multiple servers and scales well. startTLS can be used to secure LDAP communications. OpenLDAP is increasing well supported and more mature. Master-master replication is available for redunancy. I have used Gosa as an administrative interface.

I still haven't bothered limiting access per server, but the facility is there.

You may also want to look at shared home directories using autofs, or some other network mount mechanism. It not you will likely want to add the pam module that creates missing home directories on first login.

While NIS (aka yellowpages) is mature, it also has some reported security issues.

BillThor
  • 27,354
  • 3
  • 35
  • 69
0

If you're looking for a straightforward solution for your local network, Sun'S Network Information Service is convenient and has been around for a long time. This link and this one describe how to set up both the server and client instances. LDAP services, such as described here, can provide the centralized administration you want as well.

That said, if you need higher levels of security, you may want to go with other packages. TLS/SSL won't work for initial login unless you have separate dongles/smartcards or something similar. Kerberos can help, but requires a secured, trusted server. What are your needs?

mpez0
  • 1,492
  • 9
  • 9
  • Well right now my needs are strictly for a central authentication server, so I only have to change a password in one place instead of every server. But I'd like a solution that scales well so when I need more granular access controls, I can easily add it. Thats why I was looking at LDAP as opposed to NIS. – Chris McBride Feb 14 '11 at 17:10
  • I think Chris was referring to TLS/SSL only to encrypt the network traffic between the LDAP client and server. In that case, you don't need any extra hardware. – Jeff Strunk Feb 15 '11 at 08:17