Re: authentication services

On Oct 19, 2006, at 3:21 PM, Mark Wong wrote:

> It sounded like a few people had authentication services experiences
> so I wanted to ask for some advice. I have more than a half dozen
> systems I use for testing and that I share with other users when they
> want to get onto the systems. Does it make sense to use a service
> like ldap to manage the system (linux) users as well as the database
> users? Or am I asking for more work than it's worth?

It definitely makes sense. Centralizing your authentication data makes
it way easier to maintain (to remove a user, you delete/disable it in
*one* place!), and makes the life of your users way nicer (fewer
passwords to misplace, mistype, misremember). You'll still have to
create new users on each of your database clusters, but it would be
pretty easy to automate this from a central LDAP server.

Would you have to maintain the LDAP server yourself, or could you use
someone else's server? I'd recommend the latter if you can swing it.
They'd set up a separate subtree for you, and hopefully they'd have
their own user creation system you could use.

If you're interested in maintaining your own LDAP server, you'll just
need to spend a little time learning the tools and writing a few
scripts to automate add/delete users and group memberships. Or maybe
there are some good LDAP mgmt tools out there now:
http://www.linuxtopia.org/HowToGuides/how_to_configure_LDAP/
graphicaltools.html

It would be sweet if the 8.2 LDAP integration eliminated the need to
create users on your local cluster.. then you could really use
role-based (read: group) management for permissions. I haven't looked
at any of that yet.

-selena