(draft - please send comments to lesbell@lesbell.com.au or for open discussion on the Linux In Australian Schools mailing list at lias@lists.linux.org.au) I am almost literally thinking out loud here - this early draft is really just notes and reminders to myself as I think this through.

This working paper compares and contrasts the various authentication schemes which might be appropriate for a school intranet server (or multiple servers on an intranet) based on Linux.

Requirements

The system should support authentication by user name and passphrase. Use of SecurID and similar one-time systems based on a hardware device have been ruled out on the basis of cost and complexity.

The system should allow for authentication by user name alone for access to a restricted set of resources by young children.

The system should support (as far as possible) a single sign-on by teachers and staff, to integrate with existing systems.

Factors to Consider

Integration with Existing System

Some (most?) schools have an existing Windows NT domain which uses NTLM authentication

Integration with proposed subsystems

Samba

Squid

Apache web server

Webmail

Complexity

How complex is the system to install, configure and administer? Can this be done without training by a school computer coordinator?

Stand-alone Linux

Simple

Particularly appropriate when this is the only server and every user has a home directory (e.g Samba file/print server)

NTLM Authentication

Strongest integration with existing system

Can use winbind to integrate with existing NT-based infrastructure; see http://open-projects.linuxcare.com/research-papers/winbind-08162000.html

LDAP

Provides most open architecture for integration with other subsystems, e.g. authentication to Squid

However, configuring Red Hat 9 to use LDAP turns out to be a little tricky - there are some slight problems with the migrate_all_online.sh migration script (specifically, it gets confused over the existence of two different echo protocols in the /etc/services file) and so manual migration via creation of separate LDIF files for base, group, passwd and hosts turns out to be more reliable. I'm working on some notes on this right now.

Jamie Cameron, developer of Webmin (http://www.webmin.com) is adding LDAP user/group management module to 1.010 release. This will make LDAP administration much more straight-forward.

SASL

Kerberos

Webmin Cluster Users and Groups Module

Page last updated: 07/Jul/2003 Back to Home Copyright © 1987-2010 Les Bell and Associates Pty Ltd. All rights reserved. webmaster@lesbell.com.au