Authentication across Windows, Linux, and Mac
January 11, 2008 6:22 AM   Subscribe

LDAP is the way to go *if* your software can query it. Use Active Directory for user creation and group creation. Then setup software to query either groups or user for authenication.
posted by bleucube at 6:27 AM on January 11, 2008

You can use SAMBA/Winbind and the Winbind PAM module to authenticate against Active Directory on Linux.

I'm sure there's a way to do this on OS X, but I've never gotten around to it. Apple has some docs on their support site: http://www.apple.com/itpro/articles/adintegration/
posted by kableh at 6:28 AM on January 11, 2008

As others have said above, there are certainly ways to do it -- but I have to tell you that you definitely need to be prepared for a lot more administration effort than you might think. Having worked in, designed, and set up more multi-platform networks than I care to remember, setting up universal authentication is never easy, it's never few-steps-and-you're-done, and it's never even lots-of-steps-and-then-occasional-maintenance. It's always been a process of getting all the rickety pieces of the puzzle in place, then painstakingly configuring every client by hand to use the pieces, then doing a crapload of debugging to figure out why device A or account B isn't working, and then going to bed every night wondering which part of it will totally break with some trivial system or firmware upgrade that should otherwise have been no big deal at all. Entire days get lost working around a new version of software that doesn't use standard authentication libraries, or trying to figure out the exact combination of permissions that'll allow some specific user to have read-only access to share A but read-write access to service B.

So I guess my answer is that you certainly can use some combination of LDAP, Open Directory/Active Directory, or Samba to achieve what you want, but you certainly should take a long, hard look at whether the pain of multiple accounts and logins is so bad as to be worth the significant tradeoff of incrased effort and maintenance it'll take to maintain seamless multi-platform authentication and permissions.
posted by delfuego at 7:11 AM on January 11, 2008

I work in a similar environment, and we're working towards single sign-on. We have OpenLDAP & MS Active Directory. I have some Linux servers & ESX servers authenticating to our Active Directory. There are Apache modules to authenticate to Active Directory as well.

Linux - AD authentication is actually fairly easy; once you want to add authorization to the mix, and doing any sort of GPO/AD management of those Linux servers is when it gets tricky. There are third party products out there to assist, but they aren't cheap (Centrify, Centeris). Here's a link with some information. In our solution, I don't use Winbind. I create local users on each Linux machine that match AD accounts; the authentication happens in AD though. We'll be using Puppet for configuration management of the Linux servers, centralizing the user administration. FWIW, Red Hat/Fedora installs usually have system-config-authentication that configures this automagically for you (after a few prompts).

I've read Mac's can authenticate to Active Directory too, and this is something I'll have to tackle as well.

Beyond that - you could look into a password synchronization product, like P-synch; or look into more expensive solutions, like using Novell e-Directory. Any way you look at it, you are looking at more administration work (and possibly money).
posted by bxg at 7:14 AM on January 11, 2008

I don't think you really want a single source for authentication in your environment. In fact, I don't think you want to have the same server that's hosting your financial data and databases to also be running ASP or any other public services. You really should separate those things. At my small web development company (also about 20 employees), we have a LAN that hosts internal stuff, a DMZ that hosts external stuff, and a firewall server that separates the LAN, DMZ and public zones. We use Active Directory inside the LAN, but other, separate authentication systems within the DMZ.

This sounds complicated, but it isn't really that hard to set up, and frankly it's a must - you could easily get sued by your clients for failing to meet due diligence requirements if they lose any proprietary information because of your current network security. And that would suck.

For a firewall, there are plenty of cheap turnkey solutions. We started out using the free version of Smoothwall, which was perfectly sufficient until we needed VPN functionality. It took about a day for me to set up, with very little previous experience.
posted by me & my monkey at 7:25 AM on January 11, 2008

This is what Cisco's Secure ACS is designed for. You are talking about a NAC, network access control.

A NAC is a centralized point for AAA (access, authorization and accounting), most NAC solutions are there to point everything at and then query an other database(s) for the validity of the credentials. This other database(s) can be AD, an internal database to the product or say a two factor system from RSA, these are just examples.

There are other products beyond Cisco's, it just happens to be the one I have the most experience with. I would not be surprised to find there is a FOSS product out there either, but in principle NAC's enable single sign on and they enable you to control where that sign on can be used and for what at a very granular level.

Establishing these kinds of set ups early help you down the road when the business decides that PCI or SAS are important to them or their business partners.
posted by iamabot at 8:59 AM on January 11, 2008

This thread is closed to new comments.