projects:authentication

Authentication

We will use different tools which require authentication.
wiki, chat, wlan, ssh logins, nas storage, …

One identity source would be nice.
Access rights could be granted to groups.

Otherwise we need to create user accounts in every system, manage rolls in every system, …

Username/Password is outdated. MFA solutions provide more security.

ldap is supported in most applications
wireless lan 802.1x uses radius
MFA OTP solutions are often based on Radius
certificate based logins would be great (smartcards, virtual smartcards, user certificates)
- a CA could also be used for internal web servers where letsencrypt is not an option
kerberos is less supported but more secure
SAML is often use for cloud services
TACACS is used for switches an other network devices

Name	ldap	radius	kerberos	SAML	TACACS	ssh key	CA	MFA	self-hosted	costs / license
Distributions which might fit
UCS	yes	module	yes	yes	no	ldap voodoo needed	yes, but cli	privacyidea module	yes	core version free
Distributions with missing featurs
clearos		radius not compatible with samba directory, only ldap	samba 4, but beta	no, manual simplesamlphp config
nethserver	yes	no?	samba4
zentyal	yes	no								development edition free, open source
koozali		no
Microsoft Active Directory	yes	yes	yes	yes	no	no	yes	no	yes	complicated, expensive, closed source
pfsense	no	yes	no	no

Name	ldap	radius	kerberos	SAML	TACACS	ssh key	CA	MFA	self-hosted	costs / license
Applications to test
FreeIPA
Apache Directory
389 Directory
goSA
samba 4
openldap+freeradius +phpldapadmin+openssl+…

Name	ldap	radius	kerberos	SAML	TACACS	ssh key	CA	MFA	self-hosted	costs / license
Applications which might fit
Applications to test
privacyidea
linotp
rcdevs
duo
authy
wikid