Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I am trying to implement a centralized user system where all the users and passwords are stored on a centralized system. My first instinct was to use radius, since we already have that going for a number of different services. However after reading up on pam_radius, it appears that you must first create the user locally on each system and all pam_radius does is act as a central password repository.
Is this true, and if so, is there any system out there that does not require you to create the user locally first?
PAM is a localhost kind of ballgame. People seem to like and use LDAP authentication well enough these days. It depends largely on the deployment and interface of the "centralized user system" you're designing. Heck, some people like to stuff user auth data in a MySQL database and auth it with a PHP form.
I am trying to implement a centralized user system where all the users and passwords are stored on a centralized system. My first instinct was to use radius, since we already have that going for a number of different services. However after reading up on pam_radius, it appears that you must first create the user locally on each system and all pam_radius does is act as a central password repository.
Is this true, and if so, is there any system out there that does not require you to create the user locally first?
Thanks!
You can use an LDAP directory to centralize your usernames, passwords, etc., and use PAM modules to integrate PAM on each of your computers to this centralized LDAP directory.
This will get you started, but there's lots more reading to do: http://ldots.org/ldap
I've just ordered a book that looks good...you might want to check it out too.
Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers: A comprehensive and practical guide to PAM for Linux: how modules work and how to implement them https://www.amazon.com/gp/product/19...ss_T15_product
You can use an LDAP directory to centralize your usernames, passwords, etc., and use PAM modules to integrate PAM on each of your computers to this centralized LDAP directory.
This will get you started, but there's lots more reading to do: http://ldots.org/ldap
You should use a centralized LDAP - However I wont recommend all systems having to lookup to this centralized LDAP all the time - especially if your servers are connected via WAN links because
1) Response times will be high
2) In case centralized LDAP fails you're in for trouble.
I would recommend that you use centralized LDAP for user management and then have this LDAP data replicated across all the other servers. OpenLDAP does support master/slave modes. The same can be accomplished using MySQL master-slave mode.
I would recommend that you use centralized LDAP for user management and then have this LDAP data replicated across all the other servers. OpenLDAP does support master/slave modes. The same can be accomplished using MySQL master-slave mode.
Why would you ever replicate the LDAP information across all other servers? That kinda defeats the purpose of LDAP and also becomes a huge pain to manage and troubleshoot.
OP. LDAP is the way you want to go pam_radius can work with ldap but there is a ldap module for pam and should use that. If you have a large environment look into LDAP multi-master and just set up like 2-3 LDAP servers.
Why would you ever replicate the LDAP information across all other servers? That kinda defeats the purpose of LDAP and also becomes a huge pain to manage and troubleshoot.
Thats how you ensure a single server isn't loaded with all the LDAP queries, make it scalable. Never had _huge_ pain to troubleshoot such replicated LDAP directories, little bit painful, but what isn't?
Thats how you ensure a single server isn't loaded with all the LDAP queries, make it scalable. Never had _huge_ pain to troubleshoot such replicated LDAP directories, little bit painful, but what isn't?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
