I have multiple Linux machines that I want to use the credentials from a central, network reachable, machine to avoid the hustle of distributing passswords from the central machine to each machine.
Is there a way to easily achieve this?
5
-
2en.wikipedia.org/w/index.php?title=LdapIpor Sircer– Ipor Sircer2023-08-01 10:10:22 +00:00Commented Aug 1, 2023 at 10:10
-
1@IporSircer from "LDAP" to "have a working Linux domain with centralized login": there's a few steps missing ;)Marcus Müller– Marcus Müller2023-08-01 10:32:13 +00:00Commented Aug 1, 2023 at 10:32
-
Here you are: wiki.archlinux.org/title/LDAP_authenticationIpor Sircer– Ipor Sircer2023-08-01 10:52:36 +00:00Commented Aug 1, 2023 at 10:52
-
You could add a PAM-entry (pam_listfile) and point to a file on a (read-only) mounted directory from the centralized server using keypairs and locked-down access. Not tested and just a concept, so no real answer.FelixJN– FelixJN2023-08-01 10:58:28 +00:00Commented Aug 1, 2023 at 10:58
-
@FelixJN you'd be rediscovering half of Sun's NIS (Yellow Pages) :-)Chris Davies– Chris Davies2023-08-01 20:28:24 +00:00Commented Aug 1, 2023 at 20:28
Add a comment
|
2 Answers
There are LOTS of ways of achieving this. The most common solution is LDAP. IMHO its not the easiest, but its still the mechansim I would recommend.
You didn't say what Linux distribution(s) you were using which might have given some clues about the best approach. There are 2 LDAP servers commonly used on linux; 389Directory and openLDAP. But life is a lot simpler of you also have a tools for configuring the service and managing the data beyond the command line tools which come bundled with these. For OpenLDAP, that means using 3rd party tools such as https://www.ldap-account-manager.org/lamcms/ . I suggest you have a look at FreeIPA (uses 389directory at the backend).
(A few years ago I wuold also have mentioned GoSA - but that project seems a lot less acive now - https://www.gonicus.de/aktuelles/20220202-gosa_update2_8/).
Samba as a server to provide an implementation of, and usable interface into, Active Directory ("AD"). If you already have Microsoft AD available on-site and can use it as your credential source then you don't even need this step. (Note that Azure Active Directory is a different solution entirely and cannot be used in this scenario.)
Either Samba (with winbind) or sssd on the clients to handle authentication from AD.
