Linux Central Authentication/Authorization Methods

For this problem, FreeIPA is the "best" FOSS solution out there.

Since you are just starting to learn about the scope of your problem, you should do your research before attempting to play with FreeIPA.

TLS encryption is good enough to secure the transmission of passwords from the clients to the server given the following:

• Your LDAP server's ACLs properly restrict access to password hashes.
• Your server's private key is never compromised.

TLS encrypted plain authentication is the most simple method of secure authentication to set up. Most systems support this. The only prerequisite your client systems have is getting a copy of your SSL certificate authority's certificate.

Kerberos is mainly useful if you want a single sign on system for your workstations. It would be nice to be able to log in once and have access to web services, IMAP email, and remote shells without entering your password again. Unfortunately, there is a limited selection of clients for kerberized services. Internet Explorer is the only browser. ktelnet is your remote shell.

You may still want to encrypt traffic to your kerberized LDAP server and other services with TLS/SSL to prevent traffic sniffing.

GSSAPI is a standardized protocol for authentication using back ends such as Kerberos.

LDAP works well for multiple servers and scales well. startTLS can be used to secure LDAP communications. OpenLDAP is increasing well supported and more mature. Master-master replication is available for redunancy. I have used Gosa as an administrative interface.

I still haven't bothered limiting access per server, but the facility is there.

You may also want to look at shared home directories using autofs, or some other network mount mechanism. It not you will likely want to add the pam module that creates missing home directories on first login.

While NIS (aka yellowpages) is mature, it also has some reported security issues.