Difference between revisions of "Centralized Authentication Proposal"

From CDOT Wiki
Jump to: navigation, search
(Created page with 'While implementing the BCFG2 configuration management system on the build farm, the prospect of having a passwd, shadow and groups file controlled by the utility was brought up s…')
 
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
While implementing the BCFG2 configuration management system on the build farm, the prospect of having a passwd, shadow and groups file controlled by the utility was brought up several times.  While this is one method of managing a consistent set of users and groups across the build farm, I feel that there is other software available that would be better suited for this task.
+
While implementing the BCFG2 configuration management system on the build farm, the prospect of having a passwd, shadow and group file controlled by the utility was brought up several times.  While this is one method of managing a consistent set of users and groups across the build farm, I feel that there is other software available that would be better suited for this task.
  
  
 +
===Arguments For===
 +
* More easily managed users
 +
* consistent home directories over NFS
 +
** SSH keys always there
 +
** Test builds stored on network drive/doesn't take up space on builders
 +
* More modern approach to user management
 +
* Less inconsistencies throughout builders
 +
* Ability to document centralized logon performance in ARM space
 +
** valuable research for enterprise hardware
  
 +
===Arguments Against===
 +
* Additonal services running on Hongkong/Ireland
 +
* Increased network traffic
 +
* additonal point of failure
 +
** Can have backup/slave servers
  
  
NIS+
+
===Means and methods===
  
OpenLDAP
+
====NIS/NIS+====
 +
* Pros
 +
** Quick and easy
 +
**
 +
* Cons
 +
** Not the most scalable system
 +
*** Mitigated by the fact that our farm is less than 100 machines
  
Kerberos
+
====OpenLDAP/389 Directory====
 +
* Pros
 +
** LDAP is an industry standard
 +
** Extensible
 +
** Fine Grained
 +
** Lots of nice and easy to use management tools
 +
* Cons
 +
** Perhaps too complex
 +
**
  
Other
+
====Kerberos/Heimdall====
 +
 
 +
====Other====

Latest revision as of 11:19, 24 April 2012

While implementing the BCFG2 configuration management system on the build farm, the prospect of having a passwd, shadow and group file controlled by the utility was brought up several times. While this is one method of managing a consistent set of users and groups across the build farm, I feel that there is other software available that would be better suited for this task.


Arguments For

  • More easily managed users
  • consistent home directories over NFS
    • SSH keys always there
    • Test builds stored on network drive/doesn't take up space on builders
  • More modern approach to user management
  • Less inconsistencies throughout builders
  • Ability to document centralized logon performance in ARM space
    • valuable research for enterprise hardware

Arguments Against

  • Additonal services running on Hongkong/Ireland
  • Increased network traffic
  • additonal point of failure
    • Can have backup/slave servers


Means and methods

NIS/NIS+

  • Pros
    • Quick and easy
  • Cons
    • Not the most scalable system
      • Mitigated by the fact that our farm is less than 100 machines

OpenLDAP/389 Directory

  • Pros
    • LDAP is an industry standard
    • Extensible
    • Fine Grained
    • Lots of nice and easy to use management tools
  • Cons
    • Perhaps too complex

Kerberos/Heimdall

Other