i'm trying to piece things together as to what can be accomplished and how with the following software
... anything else
I have learned some things by reading several tutorials/guides etcetc in the internet. but thy are still mixed in my head - correct me if i'm wrong:
- if using pam, you don't use the passwd file anylonger to check user credentials in a unix system anymore. Pam gives some authorization abilities as well (like user can be allowed to access ftp, but not get a logging shell)?
- nss is a db to store passwords and user info. ldap has same scope as nss. It can store passwords and other user info as well (like what?)
- kerberos can store passwords. As such it can also be used instead of passwd files. so a user accessing a unix machine through ssh (or locally) can be authenticated by kerberos instead of the local passwd file. pam isn't necessary (esp for the ssh case) but can it be the middle man? f.e ssh server tries to authenticate through pam and pam has a kerberos module installed? Overall it stores passwords on a separate machine and gives tickets to access other servers running other services (but how will the other servers understand these tickets? are the servers connected to the kerberos server too?
-Radius: I'm very mixed up with radius. its used by ISPs to allow users to dial in and authenticate. It provides authorization too . so can it be used instead of pam?
for example say I have some protected services to run: openvpn, ftp, some wifi network, samba, proxy server, ssh (to have users access some workstations and work on them - not administer them)..
how can it all be connected together? so that I create a user and decide what services they can access from a central point and do it only once?
I know that:
- pam can be connected to ldap, so ldap can do authentication. but who ends up doing authorization?
- openvpn can check passwords from pam
- say the wifi access point can validate users from a db (perhaps from a radius server???) and not just against a locally stored ssid passphrase.
- samba is probably able to check for passwords in a number of ways
-- f.e. through ldab and/or kerberos?
- ssh server. it can use local files and i've seen options for kerberos. but can it use pam?
- radius can connect to ldap too
is it possible to do something like that:
have passwords in kerberos or ldap (is mysql possible/useful/used too?),connect pam to ldap (through the ldap-pam module), and have all services check ldap or pam directly for passwords.
obviously local access to machines should still be available.
Can radius be used somewhere in line with the above? is there a reason to do that? For example allow user to run some services and not others?
wifi users : can they somehow be able to provide the same username/passwords to connect to corporate wifi network and have access to their samba shares as if their where sitting in their desktops in the office..?
The same users will connect through openvpn when they are away. is it possible for them to have access to their shares and other resources.
finally can i have something similar to samba's roaming profiles? basically can users use the same passwords whether they connect from a windows workstation, or a unix one, or from their personal laptops over the wifi, or from away through openvpn??? (and still only create the users once, in one database?
thank you for reading this long post