3

I have more than 1000 Linux/Unix(Solaris) servers in my network and I want to implement some kind of centralized login server. So that I create users on one server and he can able to login on any of the server in my network. But there would be some exception that I want to implement like, every I dont want to give every user access to every server. Like guy from the development team should not be able to access servers of Fault Management team and vice versa.

I dont want to use LDAP. I heard about Kerberos and RADIUS or Radius+SSH+LDAP. Please suggest which will be the better way to go. I just want centalized user management and server access management.

Thanks & Regards Ramesh Kumar

Ramesh Kumar
  • 1,770
  • 5
  • 19
  • 29

3 Answers3

6

There really is only one solution: LDAP, unless you go the really legacy route: NIS, NIS+.

LDAP can work really well with netgroups for setting which people have access to which servers, there's Fedora project wiki on this subject. You can also keep sudo configuration in LDAP, and for the added benefit, there are already web management solutions for it, GOsa² being one of the better, more Linux-centric ones.

Maybe just tell us why you don't want LDAP, this way we may be able to mitigate your problems with it...

There are three ways to work around the problem of network or server down:

  • use a replicated setup with multiple LDAP servers (both nss_ldap and pam_ldap will use backup server when the primary is down), OpenLDAP documentation is quite extensive at this topic
  • use caching on the client, pam_ccreds or Fedora SSSD
  • go the heaviest route: use additional LDAP server on most critical servers
Hubert Kario
  • 6,361
  • 6
  • 36
  • 65
  • I'm not the author of the question, but I have a similar problem. Just was wondering, what happens when ldap server is down? Is there some sort of caching on a client machine? Will it be possible to authenticate at all? – facha Oct 06 '10 at 08:01
  • I've updated the answer. And, no, when the LDAP server is down name resolving and authentication doesn't work, you need caching or fallback servers to keep authentication working – Hubert Kario Oct 06 '10 at 09:54
  • the above comment was referring to accounts in LDAP, locally created users will still work without LDAP (if the system was properly configured) – Hubert Kario Oct 06 '10 at 16:31
1

You have to have a central user store, which means a directory service of some sort. These days that means Active Directory, eDirectory, OpenLDAP, or some other LDAP-style server. Then that central server can talk different kinds of authentication protocols with the understanding that sooner or later the authentication service will talk back to the directory service and that the directory service will probably be talking LDAP. This is the case even if the directory service has its own API because everything speaks LDAP so applications generally use that nowadays.

Active Directory, of course, is the simplest choice to make these days since Microsoft has pushed it pretty strongly to be ubiquitous and it meets most needs.

I prefer eDirectory because it has very great stability and scalability, is more Unix-friendly than AD (both for clients and servers), and has a replication model that cannot be beat.

Openldap (and its derivations including Apple's Open Directory) is much cheaper and modifiable than the others, being the open source entry, but my impression is that it is a bit more fragile in large deployments and management is messier.

There are some other LDAP servers out there as well (such as Oracle Directory Server which might fit in well with your Sun boxes), but I am less familiar with them and so cannot give firm details. Given that you seem to want to avoid LDAP, you might want to check which authentication methods each directory service supports for Unix servers and base your decision on that.

Johnnie Odom
  • 1,199
  • 7
  • 10
0

If your linux is a Red Hat derivative, then take a look at freeipa. Then you get a sanely managed ldap + kerberos setup in an easy manner. They have a solaris client as well, hopefully somebody at Canonical will wake up and free the resources necessary to get Ubuntu clients working in such a domain.

natxo asenjo
  • 5,739
  • 2
  • 26
  • 27