I have more than 1000 Linux/Unix(Solaris) servers in my network and I want to implement some kind of centralized login server. So that I create users on one server and he can able to login on any of the server in my network. But there would be some exception that I want to implement like, every I dont want to give every user access to every server. Like guy from the development team should not be able to access servers of Fault Management team and vice versa.
I dont want to use LDAP. I heard about Kerberos and RADIUS or Radius+SSH+LDAP. Please suggest which will be the better way to go. I just want centalized user management and server access management.
Thanks & Regards Ramesh Kumar
There really is only one solution: LDAP, unless you go the really legacy route: NIS, NIS+.
LDAP can work really well with netgroups for setting which people have access to which servers, there's Fedora project wiki on this subject. You can also keep
sudoconfiguration in LDAP, and for the added benefit, there are already web management solutions for it, GOsa² being one of the better, more Linux-centric ones.Maybe just tell us why you don't want LDAP, this way we may be able to mitigate your problems with it...
There are three ways to work around the problem of network or server down:
You have to have a central user store, which means a directory service of some sort. These days that means Active Directory, eDirectory, OpenLDAP, or some other LDAP-style server. Then that central server can talk different kinds of authentication protocols with the understanding that sooner or later the authentication service will talk back to the directory service and that the directory service will probably be talking LDAP. This is the case even if the directory service has its own API because everything speaks LDAP so applications generally use that nowadays.
Active Directory, of course, is the simplest choice to make these days since Microsoft has pushed it pretty strongly to be ubiquitous and it meets most needs.
I prefer eDirectory because it has very great stability and scalability, is more Unix-friendly than AD (both for clients and servers), and has a replication model that cannot be beat.
Openldap (and its derivations including Apple's Open Directory) is much cheaper and modifiable than the others, being the open source entry, but my impression is that it is a bit more fragile in large deployments and management is messier.
There are some other LDAP servers out there as well (such as Oracle Directory Server which might fit in well with your Sun boxes), but I am less familiar with them and so cannot give firm details. Given that you seem to want to avoid LDAP, you might want to check which authentication methods each directory service supports for Unix servers and base your decision on that.
If your linux is a Red Hat derivative, then take a look at freeipa. Then you get a sanely managed ldap + kerberos setup in an easy manner. They have a solaris client as well, hopefully somebody at Canonical will wake up and free the resources necessary to get Ubuntu clients working in such a domain.