Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[← Prev[Date]  [Next →] [← Prev[Thread]  [Next →]

[MAD-SAGE] Options for centralized password database in heterogeneous enviro nment?

Date: Fri, 29 Oct 2004 16:27:50 -0500
From: schmolli@xxxxxxxxxxxxxx (Ed Schmollinger)
Subject: [MAD-SAGE] Options for centralized password database in heterogeneous enviro nment? 
--G32kpiKURVjWs3Ul
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 29, 2004 at 01:12:21PM -0500, Stewart, John wrote:
> This all points us towards trying to build something centrally to
> authenticate; we'd love it if we could authenticate as much as possible in
> one place - NT domain, Solaris, Linux, Oracle Applications (ERP), VPN,
> dialin, internal web server, etc...
> [...]
> I know when I last worked for the CSL (nearly a *decade* ago... holy crap=
!),
> Kerberos was fairly newly implemented. Perhaps this an option (but I reca=
ll
> it being somewhat painful to implement at the time, and I'm not sure how
> well it can integrate into all of the various systems we've got).
>=20
> RADIUS, LDAP, Kerberos, etc... surely there is a best-practices guide
> somewhere on what we can do.=20

I'll echo what was said about picking your poison.  My handwavy
suggestion, speaking as a person involved in similar efforts at a
mid-large sized company, would be to create an authentication
meta-directory where you store all your passwd, expiration, role, etc
information, then have that system be capable of pushing to everything
else.  I'd also recommend having a preferred auth mechanism such as LDAP
that you "strongly encourage" your vendors and developers to use.

Be wary of vendors who claim to have a turnkey system for you.  Such a
system is highly likely to be more turkey than turnkey.

Make sure you are appropriately accommodating the "one big
authentication mechanism" downside as well.  OBAM is the keys to the
kingdom--do you really want *everything* to trust it?

--=20
Ed Schmollinger - schmolli@xxxxxxxxxxxxxx - http://frozencrow.org/

--G32kpiKURVjWs3Ul
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBgrXWuUf1YjPlx/ARAtexAJ9OygorajcBnfHRHYbO0xzbA9OxhACfc/J9
ZjSDBhcPnLqz9m065ud5Y84=
=b3J6
-----END PGP SIGNATURE-----

--G32kpiKURVjWs3Ul--
[← Prev in Thread] Current Thread [Next in Thread→]
Previous by Date:  [MAD-SAGE] Options for centralized password database in heterogeneous enviro nment?, Chan Wilson
Next by Date:  [MAD-SAGE] Thus 11/11: Network/system Monitoring, David Parter
Previous by Thread:  [MAD-SAGE] Options for centralized password database in heterogeneous enviro nment?, Chan Wilson
Next by Thread:  [MAD-SAGE] perl/Un*x network programmer opp'y, Dave Plonka
Indexes:  [Date] [Thread]