[CoLoCo] If you don't use AD how can you authenticate users?

[Kevin Fries]

On Mon, 2008-01-21 at 12:28 -0700, Jim Hutchinson wrote:
> Hey gang,
> 
> Just curious. If you have a bunch of desktop computers and want to
> have users login but don't want to create individual accounts on all
> the computers what is the solution? Here we use Active Directory but
> assuming you don't use that, what options exist?

Jim,

I am have a few issues with Kerberos right now in an AD-"less"
environment.  However, my Jeos mockup is using plain old LDAP just fine.
I did not turn on TLS, but if I did, it would be secure.  (turning on
TLS to secure a network that only exist inside of VMWare seems a little
silly).

There are a couple of easy ways to admin the users depending on what
capabilities you want.  The simplest is LAM which is in the repositories
as ldap-account-manager.  You can find info about it at
http://lam.sf.net .  Its kinda basic, but works.  Each machine in the
domain then runs libnss-ldap and libpam-ldap to admin passwords.  To
make the clients a little more resiliant to network issues, run nscd (it
caches the ldap server locally), and for ease of setup, install
ldap-auth-config.  Once Ldap was setup, each client took about 1 minute
to configure.

Another package that I like alot, but is a little more complex to setup
is called GOsa.  Its also in the repos.  You can find out more
information about this package at https://oss.gonicus.de/labs/gosa .
GOsa is a very, very slick program.  Run the demo at their website, and
you will quickly get a sense of what this can do.  In short, its a
really pretty LDAP editor.  By changing the LDAP, you can add mailboxes
to users, turn on or off FTP access, manage SAMBA access.  etc.  LAM
does some of this, but nowhere near as much as this.

If you need any help, I have plenty of experience in this area... just
ask.

-- 
Kevin Fries
Senior Linux Engineer
Computer and Communications Technology, Inc
A Division of Japan Communications Inc.