Usually, clusters and such grow too large
to easily support authentication and authorization systems like this. It's simply too hard to manage, because you can't manage it centrally.
For this reason, authentication and authorization are often handled using systems like LDAP, which Microsoft refers to as "Active Directory." There are also more-aggressive systems like Kerberos.
The concept is that you have "directory servers," either masters or slaves, that are scattered around your network. Computers are set up to ask
them for answers to questions like these:
"May a user who has presented the username 'x' with the password 'y' gain access to me? And if so, exactly what may he do?"
These systems provide a well-thought-out mechanism by which a computer can securely solicit such a question, and get a trustworthy
answer, even when operating on a network that is deemed to be insecure and therefore untrustworthy. Quite an amazing trick.
goal, however, is simply to arrange for your computer to take advantage of those "alternate" authentication and authorization mechanisms ... without imposing headaches either upon yourself or upon your applications. Fortunately, Linux provides an elegant solution to that (separate) problem.
Linux systems have a built-in mechanism called PAM
("P"luggable "A"uthentication "M"odules) which is specifically designed to provide the flexibility that's needed here.
- Applications, like login, "ask PAM" for an answer.
- PAM is actually a set of rules-files, residing on the local computer, which your computer now applies.
- In "standard Linux," these rules would cause the computer to consult (say...) the "shadow password-file" to get the answer.
- On your computers, however, you've installed a different set of PAM-rules... rules that cause your computer to instead consult LDAP, or Kerberos or whatever, to get the answer to the question.
- The bottom-line is, "login gets his answer," thumbs-up or thumbs-down, just like every single PAM-aware application in your computer is able to do and in exactly the same way. But you, the systems administrator, have complete flexibility to specify, behind the scenes, exactly how that "answer" will be determined. Your actions will apply uniformly to every PAM-aware program, and "they don't have to know and they don't have to care."