[ale] Single Sign-on and Linux

[pwd at mdtsoft.com]

Take a look at Kerberos (it is a standard part of Red Hat from 6.x times
 maybe 7.0) 

It was designed at MDT and has been in use there for about as long as
X Windows. You can use this as single sign on for Unix, Linix Windows
Mac's VMS etc. A MODIFIED version of Kerberos is the new single-sign-on
solution for Win 2K (Microsoft is dropping there NT Domain stuff).

LDAP used this way is a single password not a single sign on system (but
what you may want is single password not single sign-on) in other words
you have to log onto each system but when you change your password it 
is changed for all systems.  By the way NT Domains are more of a 
password storage system (sort of but not really) than a true single sign 
on system it just looks like SSO to the users.


On 19 Jun, Derek Zeanah wrote:
> (First post from a new list subscriber.)
> 
> I'm working as a consultant down in Savannah, GA -- some Novell, a lot of
> Microsoft, and (increasingly) *nix.  I'm the resident Unix guy (translated:
> I'm the guy who can diagnose and fix failures, even if I'm far from Guru
> status), and I've been pushing my company to offer more open source
> solutions where they're appropriate (most of our *nix clients are running
> SCO 5.0.x, but it's hard to justify the cost over FreeBSD or Linux).
> 
> Well, Windows XP is getting enough complaints (local hospital just told by
> Microsoft that their software licensing costs will double) that we've
> decided to move more aggressively in this direction.  The problem I'm seeing
> right now is providing centralized management -- the NT Domain model is far
> from perfect, but the idea of keeping one system set aside to deal with
> access permissions is a good one.  A distributed directory structure would
> be nicer, but it's not *that* important as most of my clients are small- to
> medium-sized businesses.
> 
> So, how can this be done (securely) on Linux?  My understanding is that you
> can rig Redhat (and others?) via PAM to authenticate against an LDAP server,
> but the LDAP offerings seem to be weak (with the obvious exception of NDS).
> 
> What solution do y'all use for single-sign-on?  Is it worth the effort to
> try and master NDS and tell clients to organize the infrastructure around
> it, and if so is it possible for all of the services to authenticate against
> it (even indirectly -- maybe use a script to recreate a passwd file every 20
> minutes)?
> 
> Don't get me wrong -- I'm sold on NDS as a sturdy, secure, and scalable
> solution (and at $2 per seat who's going to complain?), but I'd like to have
> a better understanding of the available options and the trade-offs that need
> to be considered.  So far all I can find is OpenLDAP (which seems rather
> immature) and NIS (which has a number of security issues).
> 
> Thanks.
> 
> 
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

-- 
Philip W. Dalrymple III <pwd at mdtsoft.com>
MDT Software - The Change Management Company
+1 678 297 1001
Fax +1 678 297 1003


--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.