===== Authentication =====

==== Why? ====

We will use different tools which require authentication. \\
wiki, chat, wlan, ssh logins, nas storage, ...

One identity source would be nice.\\
Access rights could be granted to groups. 

Otherwise we need to create user accounts in every system, manage rolls in every system, ...

Username/Password is outdated. MFA solutions provide more security. \\


==== Protocols ====

  * ldap is supported in most applications
  * wireless lan 802.1x uses radius
  * MFA OTP solutions are often based on Radius
  * certificate based logins would be great (smartcards, virtual smartcards, user certificates)
    * a CA could also be used for internal web servers where letsencrypt is not an option 
  * kerberos is less supported but more secure
  * SAML is often use for cloud services
  * TACACS is used for switches an other network devices

==== Tools ====

=== Directory Operating Systems (iso) ===
^Name ^ldap ^radius ^kerberos ^SAML ^TACACS ^ssh key ^CA ^MFA ^self-hosted ^costs / license ^
^Distributions which might fit ^^^^^^^^^^^
|[[https://www.univention.de/produkte/ucs/|UCS]]      |yes |module |yes |yes |no |ldap voodoo needed |yes, but cli |privacyidea module |yes |core version free |
^Distributions with missing featurs ^^^^^^^^^^^
|[[https://www.clearos.com|clearos]]                  | |radius not compatible with samba directory, only ldap |samba 4, but beta |no, manual simplesamlphp config | | | | | | |
|[[http://www.nethserver.org|nethserver]]             |yes |no? |samba4 | | | | | | | |
|[[http://www.zentyal.org|zentyal]]                   |yes |no | | | | | | | |development edition free, open source |
|[[http://www.koozali.org|koozali]]                   | |no | | | | | | | | |
|Microsoft Active Directory                           |yes |yes |yes |yes |no |no |yes |no |yes |complicated, expensive, closed source |
|[[https://www.pfsense.org|pfsense]]                  |no |yes |no |no | | | | | | |

=== Directory Applications ===
^Name ^ldap ^radius ^kerberos ^SAML ^TACACS ^ssh key ^CA ^MFA ^self-hosted ^costs / license ^
^Applications to test ^^^^^^^^^^^
|[[https://www.freeipa.org|FreeIPA]]                  | | | | | | | | | | |
|[[http://directory.apache.org|Apache Directory]]     | | | | | | | | | | |
|[[http://directory.fedoraproject.org|389 Directory]] | | | | | | | | | | |
|[[https://oss.gonicus.de|goSA]]                      | | | | | | | | | | |
|samba 4                                              | | | | | | | | | | |
|openldap+freeradius \\ +phpldapadmin+openssl+...     | | | | | | | | | | |

=== MFA ===
^Name ^ldap ^radius ^kerberos ^SAML ^TACACS ^ssh key ^CA ^MFA ^self-hosted ^costs / license ^
^Applications which might fit ^^^^^^^^^^^
^Applications to test ^^^^^^^^^^^
|[[https://www.privacyidea.org|privacyidea]]          | | | | | | | | | | |
|[[https://www.linotp.org|linotp]]                    | | | | | | | | | | |
|[[http://www.rcdevs.com|rcdevs]]                     | | | | | | | | | | |
|[[https://duo.com|duo]]                              | | | | | | | | | | |
|[[https://authy.com|authy]]                          | | | | | | | | | | |
|[[https://www.wikidsystems.com|wikid]]               | | | | | | | | | | |