Centralised Authentication - Recommendations?

I have a challenge presented before me, and that is to centralise authentication. Period.

That's because me and my big mouth said I like LDAP, and anything can authenticate against it. I have pretty much every type of desktop here, Macs, Windows XP up to 7, and number of Ubuntu and Fedora based distro installs.

I have no problem going through all the configuration work. In fact that should be pretty fun, I just want some recommendations on which implementations I should be looking at.

Thank You

Solution 1:

Natively, a Windows machine can only authenticate against an AD domain that it is in (or a domain that it trusted by the domain that it is in.) You can find replacement GINAs, I do believe that there's one for plain ol' LDAP.

However, once you've got an AD domain, you've also got Kerberos and LDAP as part of the deal. You can authenticate OS X against AD, and you could use PAM to authenticate the Linux machines against the LDAP part of AD.

Solution 2:

I would put all the Windows machines into a domain, that makes centralised authentication very simple for them.

MAC's can authenticate against AD.

For the Linux machines I would use SSSD, which generally works together with Kerberos, which, if properly implemented, also allows password changes for both the domain account and the local account, and implements password caching for laptops. The sssd package should be available off the shelf for Ubuntu and Fedora (we use it in Debian Squeeze, and it works a charm).

For your various other apps, especially web apps, LDAP authentication is also relatively simple to implement, since most scripting languages have LDAP modules.

There are a few applications where you will run into trouble. Example: Microsoft Dynamics GP V10 and prior do not support LDAP/AD authentication, but it has been promised for the next version.