User Tools

Site Tools


projects:authentication

Table of Contents

Authentication

Why?

We will use different tools which require authentication.
wiki, chat, wlan, ssh logins, nas storage, …

One identity source would be nice.
Access rights could be granted to groups.

Otherwise we need to create user accounts in every system, manage rolls in every system, …

Username/Password is outdated. MFA solutions provide more security.

Protocols

  • ldap is supported in most applications
  • wireless lan 802.1x uses radius
  • MFA OTP solutions are often based on Radius
  • certificate based logins would be great (smartcards, virtual smartcards, user certificates)
    • a CA could also be used for internal web servers where letsencrypt is not an option
  • kerberos is less supported but more secure
  • SAML is often use for cloud services
  • TACACS is used for switches an other network devices

Tools

Directory Operating Systems (iso)

Name ldap radius kerberos SAML TACACS ssh key CA MFA self-hosted costs / license
Distributions which might fit
UCS yes module yes yes no ldap voodoo needed yes, but cli privacyidea module yes core version free
Distributions with missing featurs
clearos radius not compatible with samba directory, only ldap samba 4, but beta no, manual simplesamlphp config
nethserver yes no? samba4
zentyal yes no development edition free, open source
koozali no
Microsoft Active Directory yes yes yes yes no no yes no yes complicated, expensive, closed source
pfsense no yes no no

Directory Applications

Name ldap radius kerberos SAML TACACS ssh key CA MFA self-hosted costs / license
Applications to test
FreeIPA
Apache Directory
389 Directory
goSA
samba 4
openldap+freeradius
+phpldapadmin+openssl+…

MFA

Name ldap radius kerberos SAML TACACS ssh key CA MFA self-hosted costs / license
Applications which might fit
Applications to test
privacyidea
linotp
rcdevs
duo
authy
wikid
projects/authentication.txt · Last modified: 2017/08/26 15:52 by faker