Choosing the Right Approach:

After my initial research, my inclination was to use an all-LDAP system. It seemed the most straightforward and promising. PADL has a piece of code called nssldap that would allow the /etc/nsswitch.conf and PAM systems to use LDAP information instead of files, NIS, NIS+, or Hesiod. It seemed to be available for all of the systems I was interested in supporting, and it supported encryption. As a bonus, LDAP can store quite a bit more information about users than the standard Unix files and NIS maps. This could be a central repository for all information about the network! There were a number of HOWTOs and articles on the Internet, so I began.

I was able to create a complete DAS based on OpenLDAP and the PADL nssldap code + PAM. It required strong encryption via TLS. It worked! However, the following flaws were revealed while testing:

I then decided to try Kerberos 5 + LDAP. This made for a more complex system, but looked like it would solve my password management problems. As a bonus, this is exactly what Sun, Apple, and Microsoft are using now: an LDAP-Kerberos 5 hybrid. Although I created a working system with Red Hat 7.3 - 9 clients, it still did not support FreeBSD. It also did not work with SuSE or Slackware. In addition, it was much too complex!

Final solution:

I read a few posts about people successfully combining NIS and Kerberos 5. NIS would be used for the user and group info that Unix-like operating sytems need, and Kerberos would be used for the secure password management and SSO capabilities. Although LDAP has broad software and OS support, integrated support for NIS is far more prevalent. NIS is stable, mature, robust, and well-understood. It's biggest drawback is that it is an RPC service, and requires the portmapper to run on both client and server. This makes firewalling hosts more difficult. LDAP had the edge there, because it worked on a single TCP port, as a simple client-server application. Firewall and NAT support are therefore very easy. However, NIS works on every OS that I needed to support, and the documentation and trouble-shooting tools are excellent.

Combined with Kerberos, the security issues with NIS go away. Therefore, I decided on a hybrid approach, combining NIS and Kerberos 5. This document is a complete manual, or HOWTO guide on installing, configuring, deploying, and maintaining a Distributed Authentication System based on NIS and Kerberos 5.




DAS Presentation Slides