I have a small but growing network of Linux servers. Ideally I'd like a central place to control User Access, change passwords, etc... I've read a lot about LDAP servers, but I'm still confused about choosing the best authentication method. Is TLS/SSL good enough? Whats the benefits of Kerberos? Whats GSSAPI? Etc... I haven't found a clear-cut guide that explains the pros/cons of these different methods. Thanks for any help.
For this problem, FreeIPA is the "best" FOSS solution out there.
Since you are just starting to learn about the scope of your problem, you should do your research before attempting to play with FreeIPA.
TLS encryption is good enough to secure the transmission of passwords from the clients to the server given the following:
TLS encrypted plain authentication is the most simple method of secure authentication to set up. Most systems support this. The only prerequisite your client systems have is getting a copy of your SSL certificate authority's certificate.
Kerberos is mainly useful if you want a single sign on system for your workstations. It would be nice to be able to log in once and have access to web services, IMAP email, and remote shells without entering your password again. Unfortunately, there is a limited selection of clients for kerberized services. Internet Explorer is the only browser. ktelnet is your remote shell.
You may still want to encrypt traffic to your kerberized LDAP server and other services with TLS/SSL to prevent traffic sniffing.
GSSAPI is a standardized protocol for authentication using back ends such as Kerberos.
LDAP works well for multiple servers and scales well. startTLS can be used to secure LDAP communications. OpenLDAP is increasing well supported and more mature. Master-master replication is available for redunancy. I have used Gosa as an administrative interface.
I still haven't bothered limiting access per server, but the facility is there.
You may also want to look at shared home directories using autofs, or some other network mount mechanism. It not you will likely want to add the pam module that creates missing home directories on first login.
While NIS (aka yellowpages) is mature, it also has some reported security issues.
If you're looking for a straightforward solution for your local network, Sun'S Network Information Service is convenient and has been around for a long time. This link and this one describe how to set up both the server and client instances. LDAP services, such as described here, can provide the centralized administration you want as well.
That said, if you need higher levels of security, you may want to go with other packages. TLS/SSL won't work for initial login unless you have separate dongles/smartcards or something similar. Kerberos can help, but requires a secured, trusted server. What are your needs?