| gabriel rosenkoetter on Fri, 12 Sep 2003 18:05:38 -0400 |
|
On Fri, Sep 12, 2003 at 05:41:25PM -0400, W. Chris Shank wrote:
> Really - we just want single authentication across these sun machines
> (possibly across all the unix/linux machines).
Good luck.
Buy a copy of Sun ONE, make OpenLDAP play nicely with it as a
client. (Making Solaris play nicely as a client to an OpenLDAP
server has proved excrutiatingly painful for me.)
> How esle to do this with linux/unix? There is an Active Directory
> - which thought bout trying to connect with.
You like the pain, eh?
AD is a perverted (sorry, "embraced and extended") version of and
LDAP server with some proprietary BS throuwn in (ever seen what a
Windows user id looks like in the raw? You don't want to...).
On the bright side, if you get all your Unix systems up and running
in one domain, and already have all your Windows machines going in
an AD domain, you're more than halfway there. The second half will
probably be about as difficult as the first half, but you will have
learned so much about the internals of LDAP trees in getting Solaris
and Linux to play nicely with each other that it'll seem like a
breeze.
> Bringing in another directory would be cumbersome. Any
> have experience with an alternative?
I'm vaguely 1/8 of the way through the above at work.
Another option: use NIS+ (or LDAP, doesn't matter) for the Unix
side, use AD for the Windows side, tell both to go talk to a RADIUS
server for authentication. (Might be less painful, might be more.
It throws things like PAM in your face, and makes the use of SSH
keys and OTP schemes for authentication more complicated.)
> It was my understanding that NIS+ was encrypted -
It can be, but so can LDAP (so can any TCP service, in that sense...
just run them over SSL; but there are packages out there that
already do that for LDAP). It isn't by default.
And, really, you don't want it to be. Go look at the permissions on
/etc/{passwd,group,shadow}. You want to represent that over the
network. Which means that you want only root to be able to request
access to the shadow map and you want its transfer to be enciphered
over the wire. You want anyone to be able to request access to the
passwd and group map, and you don't really need to encipher it over
the wire, but it might be less complicated to just encipher
everything.
NIS+ IS overly complicated... but it has basic security features
simply lacking in NIS (YP), so it's sort of a necessary evil unless
you're going to strike out on the LDAP route.
--
gabriel rosenkoetter
gr@eclipsed.net
Attachment:
pgpGxEAF427NN.pgp
|
|