[BBLISA] Chucking samba
Ian Stokes-Rees
ijstokes at crystal.harvard.edu
Sun Apr 25 23:15:24 EDT 2010
> Plus, AD has its own headaches ;)
While people are chiming in about their authentication systems, I
thought I'd ask about authentication systems that don't require MS
support -- our servers are 100% Linux, and clients access only via web,
sshfs, or ssh (possibly from any platform, in practice mostly OS X or
Windows).
I have virtually no background in this, but have a pressing need to
unify authentication systems for users who currently access our systems
via web and shell through a horrible mixture of .htaccess basic auth
(with htpasswd files), custom-CMS user databases, ssh keys, X.509 keys,
and NIS username/password. We have several web servers running on
several hosts on different networks in different buildings. Users need
to have one identity, and to administer the system we need to keep
passwords, public ssh keys, and public X.509 keys all in one place.
Authorization policies we'll probably still have to struggle with, but
at least having a single system with web-based access for user-driven
account management (ideally including account request), and a single
underlying system holding all the user account data would obviously get
rid of a lot of the current confusion.
OpenLDAP + 389 DS + WebMin + UserMin seem like they could do this, and
that is the path I've started down. Most CMS systems (and Django, the
main one we're using) will play nicely with LDAP, as will Apache httpd.
ssh login will also be manageable via this system (of course). I'd like
to be able to script ~/.ssh/authorized_keys file updates via web-based
user-driven public-key additions (many accounts are shared for various
good reasons), and similarly for X.509-based public key systems.
Any comments greatly appreciated. If/when we get this sorted out, it
should form a nice collaborative science environment that BBLISA may be
interested in hearing about. Right now it is one part string, one part
sealing wax, and one part vaporware.
Ian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ijstokes.vcf
Type: text/x-vcard
Size: 403 bytes
Desc: not available
Url : http://www.bblisa.org/pipermail/bblisa/attachments/20100425/d90daced/attachment.vcf
More information about the bblisa
mailing list