Centralized Authentication

NightShade03

At work we are currently deploying a whole new server farm and are looking for a way to centralized authentication. I am looking for recommendations from anyone on how I can accomplish this. This is CentOS/RHEL environment with a need for centralized auth for SSH access and maybe a way to roll cisco auth integration down the road too.

I know LDAP can do this but it is awefully complex I'm finding. I have also looked into FreeRADIUS but I'm not sure if it will do what I'm looking for.

jeremy8529

Kerberos maybe? That would allow your clients to grab a token from the kerberos server and then use that token to authenticate with the server that they are trying to acess. Someone please correct me if I am mistaken.

sidsanders

krb5 works, however you still need a bit more. ldap+krb5 would be ideal (ad !!). krb5 provides auth, while ldap provides name lookups. ldap part is needed as krb5 doesnt store info on users in unix like : login shell, home dir, gid, uid, etc...

if AD cant be used, i prefer openldap over sunone/redhat dir serv. throw in a mit or heimdal kdc, you have a nice setup. for ssh, you can also do gssapi auth for the "single-signon" or pki auth.

Forsaken_GA

anyway you slice it, you're pretty much going to be using LDAP. Damn near everything has the ability to authenticate off of LDAP these days built in, including FreeRADIUS.

If you select anything else, you're going to end up having to code alot of your own glue to make the software you need to auth to your backend able to do so.

I've setup a single sign on environment before, and it was a bit of a learning curve, but worked well once I had it all up and running. My only complaint was that I had to do a little hacking to get ssh to authenticate off public keys stored in LDAP

NightShade03

Thanks for the replies all. I have started reading on OpenLDAP to see if I can get that off the ground by next week. I did notice that RedHat has it's own directory server....anyone used that before?

NightShade03

Working through OpenLDAP and getting my clients to authenticate and this is not easy.....anyone have any starter resources? Everything I'm seeing online tells you 5 different ways to do something.

sidsanders

LDAP Authentication In Linux | HowtoForge - Linux Howtos and Tutorials
Gary Tay's Home Page
linux ldap howto

there is a lot more as well. some are old. note with centos/rh, they ship old openldap vers. they will still work, though if you do hit probs, recompiling it is the suggested route -- that means you need prereq sw installed!!

if you have AD on 2003r2 or higher, you can use that instead of the unix based ldap servers. otherwise, AD requires sfu35 or other schema mods (dont suggest that).

NightShade03

OK, got really frustrated so I took a break...blew away the server and started from scratch. Got it up and running in 30 mins

Thanks for the sites they were helpful. I find it funny that LDAP seems to be used so widely and there aren't really any *GOOD* books or updated tutorials on it.

The configuration isn't too bad once you have gone through it and configured it once....I think that the amount of options there are to configure are what is really over whelming.