[Scottish] Authentication methods

[Andrew Back]

On Wed, 16 Jul 2003, Kyle Gordon wrote:

> hey all
>
> In a futile attempt to learn something worthwhile, I've decided to have a shot
> at an alternative authentication system.
>
> Now, I know there's NIS and LDAP, but which one is best and in what scenarios
> should they be used? Which is more complex to set up? And which will scale
> well and stay secure?

I'd say LDAP, but I'm prone to saying that before someone has asked the
question! LDAP is relatively easy to set up, not sure about NIS on Linux.
Used NIS+ on Solaris, it took a while to get your head round it and the
associated commands. And it often broke (database/map corruption) on the
version of Solaris we ran (2.7 I think).

You can get nsswitch libraries and pam modules for LDAP on most *NIX
nowadays. Not sure if they all support LDAPS (with SSL/TLS), but if not
you can probably use them with 'stunnel' or such. And if you want to try
NIS I believe you can get LDAP <> NIS gateways that service NIS clients.

If you want scaleability I know of LDAP directories with millions of
entries. Not with OpenLDAP, although I'm sure it performs admiradbly. I'm
pretty sure the client stuff will take more than one server IP for
redundancy, or you could employ an IP load balancer. And setting up LDAP
DB replication isn't very hard.

One of the main benefits of LDAP is that other applications such as
Apache can use it for authenticating users. Metadirectory tools exist to
sync LDAP entries with RDBs, NT domains etc. And also you can store jpegs,
X.509 certs, pgp keys etc (handy if you want to build corporate 'white
pages' or a pgp keyserver).

Andrew

PS. Ensure nsswitch is configured to check 'files' for 'passwd' atleast.
And that root and any other critical accounts have local entries so you
can log-on if your LDAP service is down.
PPS. Configure nscd to cache LDAP results so you don't hammer your DSA
on directory listings etc.