Centralized Authentication Method

authentication authorization

You have to have a central user store, which means a directory service of some sort. These days that means Active Directory, eDirectory, OpenLDAP, or some other LDAP-style server. Then that central server can talk different kinds of authentication protocols with the understanding that sooner or later the authentication service will talk back to the directory service and that the directory service will probably be talking LDAP. This is the case even if the directory service has its own API because everything speaks LDAP so applications generally use that nowadays.

Active Directory, of course, is the simplest choice to make these days since Microsoft has pushed it pretty strongly to be ubiquitous and it meets most needs.

I prefer eDirectory because it has very great stability and scalability, is more Unix-friendly than AD (both for clients and servers), and has a replication model that cannot be beat.

Openldap (and its derivations including Apple's Open Directory) is much cheaper and modifiable than the others, being the open source entry, but my impression is that it is a bit more fragile in large deployments and management is messier.

There are some other LDAP servers out there as well (such as Oracle Directory Server which might fit in well with your Sun boxes), but I am less familiar with them and so cannot give firm details. Given that you seem to want to avoid LDAP, you might want to check which authentication methods each directory service supports for Unix servers and base your decision on that.


There really is only one solution: LDAP, unless you go the really legacy route: NIS, NIS+.

LDAP can work really well with netgroups for setting which people have access to which servers, there's Fedora project wiki on this subject. You can also keep sudo configuration in LDAP, and for the added benefit, there are already web management solutions for it, GOsa² being one of the better, more Linux-centric ones.

Maybe just tell us why you don't want LDAP, this way we may be able to mitigate your problems with it...

There are three ways to work around the problem of network or server down:

  • use a replicated setup with multiple LDAP servers (both nss_ldap and pam_ldap will use backup server when the primary is down), OpenLDAP documentation is quite extensive at this topic
  • use caching on the client, pam_ccreds or Fedora SSSD
  • go the heaviest route: use additional LDAP server on most critical servers

Related

Setting environment variables for a service without a login shell on Debian
Apache 2: Prevent image hotlinking serverwide
How to connect multiple switches together?
How to move RAID 1 to RAID 1+0
What is the most efficient way to push out/publish large sets files over a network?
What service should a Prosody mod_proxy65 proxy offer?
Risks involved in setting up Kerberos authentication for WSS Reporting Services
System.Security.AccessControl.PropagationFlags Powershell Equivalent GUI use?
mod_rpaf behind an Amazon ELB
Linux FTP/SSH Permissions
How to set up routing for RRAS VPN connections
How to get Tomcat 9 to work with authbind to bind to port 80?