From owner-freebsd-questions@FreeBSD.ORG Sun Dec 14 11:27:38 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 731781065672 for ; Sun, 14 Dec 2008 11:27:38 +0000 (UTC) (envelope-from rock_on_the_web@comcen.com.au) Received: from mail.unitedinsong.com.au (202-172-126-254.cpe.qld-1.comcen.com.au [202.172.126.254]) by mx1.freebsd.org (Postfix) with ESMTP id 25DF48FC18 for ; Sun, 14 Dec 2008 11:27:38 +0000 (UTC) (envelope-from rock_on_the_web@comcen.com.au) Received: from [192.168.0.199] (unknown [192.168.0.199]) by mail.unitedinsong.com.au (Postfix) with ESMTP id 9DB394B7A for ; Sun, 14 Dec 2008 21:28:18 +1000 (EST) From: Da Rock To: freebsd-questions@freebsd.org In-Reply-To: <5635aa0d0812140259y18712a55xb6efbb69fa48f86@mail.gmail.com> References: <20081213090822.GA97581@lpthe.jussieu.fr> <1229231755.18610.102.camel@laptop2.herveybayaustralia.com.au> <5635aa0d0812140259y18712a55xb6efbb69fa48f86@mail.gmail.com> Content-Type: text/plain Date: Sun, 14 Dec 2008 21:27:13 +1000 Message-Id: <1229254041.2942.11.camel@laptop2.herveybayaustralia.com.au> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Re: Centralized DB of "system" users X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2008 11:27:38 -0000 On Sun, 2008-12-14 at 17:59 +0700, Outback Dingo wrote: > > Wouldn't kerberos be a better alternative? One server (maybe a > > replicated backup), and all services authenticate with that. Saves > > shadow on the wire... > > > > I think the ulitimate question is going to be at what level of pain does the > person wish to suffer to achieve his goals > there are numerous ways to do it, though some can be painful, if not > experienced. I struggle to get my brain around > an environment with mulitple OSes in it, where i would lean towards the LDAP > method, though you raise a valid point > where kerberos could fit nicely, though Im not sure we are aware of the long > term goals or the project where one might > be adding in other types of Operating Systems. Then we have the discussion > of interoperability. If it stays as in his game > plan and doesnt encounter scope creep (not like it doesnt happen) at some > time, he might wish to choose the best overall > design to implement, again my vote would be LDAP. it is the most globally > scaable, relocable and interoperable once its > deployed allowing for future growth without a serious amount of pain. Actually kerberos is quite widely supported in one form or other and is mostly interoperable (from my understanding anyway), and its surprisingly easy to implement- easier than ldap in my opinion. Even M$ crap uses it (different implementation, but basically the same). Plus the security it offers is by far worth the pain that could be caused. You mainly have to concentrate attention on the kdc access, as all auth runs off it, instead of every service on the network.