User Account Management?

Jeremy Welling asks: "I work in a corporate data center with all the major Unices present. Currently we are using a third party product to manage user logins and authentication. In our goals for 2002, we want to move off that product, and the current plan is to go to NIS. Due to the inherent security holes in NIS, I am investigating using LDAP. We would also like to tie this into the NT domain logins. My question is, how difficult is this to do, what LDAP server software would be best, and what OS platform should we look at?"

novell eDirectory

[CounterZer0]

Link: <a href="http://www.novell.com/products/edirectory/"& gt;eDirectory </a> is based on LDAP - and it runs on Solaris and Linux! It's very cross platform and Novell makes another product (dirXML) that can even synch against Win2K or anything else (including text files (like, /etc/passwd!)) for anything from user management to data synch. VERY stable, and VERY robust.

LDAP is a way of life

[sclatter]

I'm an LDAP advocate. It is exactly the right solution for a lot of problems. It is extremely powerful and flexible, and the more I've used it the more uses I've found for it. Once you've experienced the power of a fast and reliable central repository for a spectrum of IT information you never want to go back.

But. But.

LDAP, to be really useful, must be a way of life. You must put it in the center of your IT universe and defer always to it. It becomes the final "owner" for all your information. I found this invaluable, as suddenly the nightmares of maintaining a thousand different instances of the same or similar data just vanish. People get really excited once they realize all that LDAP can do for them. It's so flexible and extensible that you can put almost anything in it.

But this power comes at a pretty high up front cost in time and effort. If all you really care about is user auth it's probably not worth it. When your world revolves around LDAP, the hassles involved with getting PAM working on all your flavors of Unix and all that stuff become minor. Yes, you can get your NT domain domain to talk authenticate through it. Yes, you can get all your web servers to authenticate through it. It's not always easy, though. Often it's quite hard.

But if you commit to it, and follow through, the dream of one password everywhere is just one of the many rewards that you will reap.

As far as implementations, I've used Netscape/iPlanet and I've played with OpenLDAP. I used to work at Netscape so I'm biased, but I'd say spring for the iPlanet stuff if you can afford it. I found the OpenLDAP ACLs unintuitive and I heard reports that replication is unreliable.

A final caveat. If you do choose LDAP, and you choose to make it a central part of your IT infrastructure, make this your mantra: "Read often, write seldom". LDAP is *NOT* a database. Let me repeat. LDAP is *NOT A DATABASE*. When people realize everything you can put into LDAP the first thing they want to do is try to make believe it's Oracle. Try to use it for write intensive applications and the only person more miserable than your users will be you.

Good Luck! :-)

krb5/ldap...

[Raleel]

so, I'm pretty sure this is the right approach for my site as well, as it will allow a lot of crossplatform-ability.

The stick in the mud here seems to be Irix along with afs...we can do integrated logins on linux and sun, due to pam, but irix has no pam.

Anyone found a solution here?