[PLUG] Linux centralized authentication
Andrew Denton
andrew at flying-snail.net
Thu May 3 15:58:54 UTC 2018
At work we use FreeIPA for all our linux servers, it works really well.
It's nice to have a web interface for the LDAP/Kerberos/DNS/Certificate/nfs
automount stuff, and the client side setup automation (ipa-client-install
or the new realmd) is handy.
Like you our humans actually have AD accounts that come in via trust. In
that case we still use FreeIPA to manage their shells, sudoers rules and
ssh keys. I've never had a problem with that trust breaking, my only
problem has been some weirdness with Kerberized NFS home directories not
always mounting properly.
On Wed, May 2, 2018 at 8:25 PM Tyrell Jentink <tyrell at jentink.net> wrote:
> I'm using FreeIPA here at home; As a product, it's really just a bunch of
> scripts and a web interface for LDAP+Kerberos+Certificate management+Samba;
> It aims to be a complete identity management system, a product designed to
> compete with (Or at the very least, perform an analogous set of tasks to)
> ActiveDirectory. It is completely open source, developed by Red Hat, for
> Fedora, and I use it on CentOS, but it is available for a number of other
> distros.
>
> (Full disclosure: I do happen to use ActiveDirectory to store my user
> accounts, and FreeIPA authenticates through an AD Interforest Trust, but
> that's far from a requirement, and it probably causes me more grief than
> many admins would tolerate)
>
> As for reading, I learned everything I know from their documentation:
> https://www.freeipa.org/page/Documentation
>
>
> On Wed, May 2, 2018, 20:01 Thomas Groman <tgrom.automail at nuegia.net>
> wrote:
>
> > Do you have any book or other resource recommendations for setting these
> > up? I already do sysadmin work, just never done centralized auth before.
> >
> >
> > On 05/02/2018 07:53 PM, Tomas Kuchta wrote:
> > > The easiest is to pick LDAP or NIS, both work very well on Linux. With
> or
> > > without Kerberos for local small setup.
> > >
> > > NIS with NFS for file sharing would be probably the simplest setup, but
> > you
> > > will eventually wish you had LDAP for integration with various other
> > > services.
> > >
> > > LDAP + Kerberos + NFS is probably the most common and extensible
> > solution.
> > > You will absolutely need local DNS and NTP to get it going, but it is
> > well
> > > integrated extensible solution.
> > >
> > > Another option would be to uses Samba - it combines LDAP + Kerberos, so
> > it
> > > has less moving parts and can accept Windows hosts without much
> headache,
> > > compared to LDAP and Kerberos.
> > >
> > > For both solution, you might need some enterprise admin to help setting
> > it
> > > up. If well and simply setup, it is not difficult to maintain and
> manage.
> > > IMHO
> > >
> > > Tomas
> > >
> > > On Wed, May 2, 2018, 5:36 PM Smith, Cathy <Cathy.Smith at pnnl.gov>
> wrote:
> > >
> > >> There used to be dns, ldap, kerberos, nis. These are open source
> > >> protocols and not restricted to Microsoft.
> > >>
> > >>
> > >> --
> > >> Cathy L. Smith
> > >> IT Engineer
> > >>
> > >> Pacific Northwest National Laboratory
> > >> Operated by Battelle for the
> > >> U.S. Department of Energy
> > >>
> > >> Phone: 509.375.2687
> > >> Fax: 509.375.4399
> > >> Email: cathy.smith at pnnl.gov
> > >>
> > >>
> > >>
> > >> -----Original Message-----
> > >> From: plug-bounces at pdxlinux.org [mailto:plug-bounces at pdxlinux.org] On
> > >> Behalf Of Thomas Groman
> > >> Sent: Wednesday, May 02, 2018 5:16 PM
> > >> To: plug at pdxlinux.org
> > >> Subject: [PLUG] Linux centralized authentication
> > >>
> > >> Has anyone ever made a 100% UNIX/BSD/Linux network with centralized
> > >> authentication? Using native protocols not some sort of strange
> > Microsoft
> > >> AD mesh thing.
> > >> I wanted to build a hacker-space for a school and since it would be
> > >> starting from scratch there's no reason to get locked in to a
> Microsoft
> > >> product from the start. Also the Microsoft's protocols are not open
> > source
> > >> and hard to debug. They never really work well with UNIX like
> operating
> > >> systems requiring id/group mapping and such.
> > >> _______________________________________________
> > >> PLUG mailing list
> > >> PLUG at pdxlinux.org
> > >> http://lists.pdxlinux.org/mailman/listinfo/plug
> > >> _______________________________________________
> > >> PLUG mailing list
> > >> PLUG at pdxlinux.org
> > >> http://lists.pdxlinux.org/mailman/listinfo/plug
> > >>
> > > _______________________________________________
> > > PLUG mailing list
> > > PLUG at pdxlinux.org
> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> > _______________________________________________
> > PLUG mailing list
> > PLUG at pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list