<html><head></head><body><div>Take a look at FreeIPA. It uses LDAP for storage and Kerberos for authentication. The sss daemon handles comms with the server. The server can be replicated rather easily.</div><div><br></div><div>There's a web gui for running it as well as a very potent cli backend for scripting needs. It can be as simple as just making sure the same password is on all systems or a complicated as Fred can only access the storage machine at 2pm on Tuesdays. By "joining" a machine to the service it now runs local auth then sss auth for users and anything else you choose. I have some sudo processes handled by it (Fred can use a certain sudo operation on a certain machine and a different operation on a different machine and it's all handled through the replicated service). When users push their ssh pub key to their data page, it can be used to authenticate to any machine in the network (there's a patched sshd that uses an LDAP lookup for the authorized_keys).</div><div><br></div><div>I ran a primary server off a VM and a backup server off an old desktop for about 100+ users. Client support is solid for Debian and Ubuntu (the sshd patch I don't know about outside of rpm-world) as well as CentOS and Fedora of course. The server install is easy on CentOS (RedHat calls it IDM server). I've not looked to see if Debian server code is just a tarball or a real package set.</div><div><br></div><div>On Wed, 2017-12-13 at 20:46 +0000, Lightner, Jeffrey via Ale wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>I wasn't aware of the lack of a Linux server for NIS+. As noted I've not used NIS+ and it has been years since I used NIS. Apparently even the client support development was stopped in 2012:
<a href="http://www.linux-nis.org/nisplus/">http://www.linux-nis.org/nisplus/</a>
-----Original Message-----
From: Ale [<a href="mailto:ale-bounces@ale.org">mailto:ale-bounces@ale.org</a>] On Behalf Of DJ-Pfulio via Ale
Sent: Wednesday, December 13, 2017 3:21 PM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] How do you deal with SSO at home?
On 12/13/2017 02:14 PM, Lightner, Jeffrey wrote:
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
I thought NIS+ solved the issues of original NIS. I've never used NIS+ so wouldn't swear to it.
</blockquote>
NIS+ clients are free. NIS+ server is Solaris only. That's a deal
breaker for me. Need a Linux-based solution, prefer Ubuntu Server or Debian. RHEL/CentOS is a big as for 1 part of an existing infrastructure.
I need a mix of POSIX and web authentication. Shared storage is server-to-server, not user-to-server, so I don't need that.
I've used LDAP previously, using Zimbra (with openldap) as the source DB for everything. Zimbra updates over the years broke that integration and I'm unwilling to deal with those hassles anymore.
Rant reply - people with just a few email addresses don't have much hope for security. Certainly you should never use the same email for your bank and **any** other accounts. Same for Amazon. Same for your broker.
Same for your 401(k) provider. So that means most professional people here need at least 6 email addresses if you add in a social account and work.
I liked how NIS worked, but I just can't take those security risks today. It is a different world.
_______________________________________________
Ale mailing list
<a href="mailto:Ale@ale.org">Ale@ale.org</a>
<a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a>
See JOBS, ANNOUNCE and SCHOOLS lists at
<a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a>
_______________________________________________
Ale mailing list
<a href="mailto:Ale@ale.org">Ale@ale.org</a>
<a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a>
See JOBS, ANNOUNCE and SCHOOLS lists at
<a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a>
</pre></blockquote><div><span><pre><pre>-- <br></pre>James P. Kinney III
Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
http://heretothereideas.blogspot.com/
</pre></span></div></body></html>