MS2LINUX - Authentication basics

Bill Warner plug-discuss@lists.plug.phoenix.az.us
08 Oct 2002 10:15:56 -0700 

I have been looking into this as well.  NIS works in a way that you can
basically store half your passwd/shadow/group files on one central
server.  Sort of an NFS for single files.  I am still looking into LDAP
as an option.  The only thing that I don't like about the Linux
authentication options is the fact that unlike windows it typical
applications don't maintain the authentication, s every time you start a
web browser you have to re-authenticate with any servers there.  It
makes for a difficult use experience for the non techies.

Bill W

On Tue, 2002-10-08 at 09:35, Scott H wrote:
> One of the first issues faced by any admin who
> wants to convert from a MS network to Linux is
> authentication.  In the MS world, there are NT4
> domains, and the more recent Win2K Active
> Directory domain, which provide a central
> authentication db for all activities on the
> network.  If I understand correctly, the most
> similar thing in the nix world is the NIS domain.
>  But there is also the possibility of setting up
> an LDAP server for authentication.  Let me throw
> out my comments and questions, and please comment
> and/or correct me:  
> 
> 1) there are no other realistic options besides
> the above 2 for centralized authentication for
> users
> 
> 2) LDAP is preferable to NIS, because it offers
> everything NIS does, as well as (from
> http://diradmin.open-it.org/index.php):
> 
>     * Like NIS, a single source of sign-on: using
> LDAP, eliminating different sources and making
> user administration much easier. LDAP integrates
> with the PAM security architecture and many
> servers such as Apache.
>     * Mail accounts without system accounts: you
> can create user accounts for several mail servers
> without necessarily creating a system account for
> them.
>     * Centralized preference storage: you may
> want to centralize preferences for different
> applications. For example, Netscape preferences,
> bookmarks etc can be stored in LDAP.
>     * Corporate address book: most e-mail
> software allows you to use LDAP directory servers
> as address book sources, so you keep your company
> members' information there. You can also link
> your directory to specialized software such as
> trouble tracking, and make your users log in to
> the software.
> 
> 
> 3) both NIS and LDAP can use encrypted &
> public/private key authentication techniques,
> including kerberos, so no passwords need to
> traverse the network in clear text.
> 
> How does all this sound?
> 
> Scott (was "boyhowdy")
> 
> 
> 
> 
> 
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Faith Hill - Exclusive Performances, Videos & More
> http://faith.yahoo.com
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
-- 
Bill Warner
Unix/Linux Admin.
Direct Alliance Corporation

Company required stuff:

Contents are Direct Alliance Corporation Confidential

This message is for the designated recipient(s) only and contains
Direct Alliance Corporation privileged and confidential information.
If you have received it in error, please notify the sender immediately
and delete the original. Any other use of this email is prohibited.
A computer without a Microsoft operating system is like a dog without 
bricks tied to its head.