Centralized User Management with Kerberos and LDAP

Travis Crawford

Many computing environments are designed to make network resources available to users from any location, such as personal workstations, public workstations, and the Web. User management is an important part of this type of distributed computing environment because it provides the consistent authentication and authorization service necessary for universal access. Kerberos and LDAP are two protocols that have been designed to solve the distributed authentication and authorization problem.

Centralized management of user accounts solves a major problem in distributed computing environments. Without centralization in an environment with X users, Y computers, and Z services, we have (X*Y)+(X*Z) accounts to manage. With centralization, we have X+Y+Z accounts to manage.

In this article, I will provide an overview of user account management with Kerberos and LDAP. I will describe the protocols and how they work as well as their implementation. Finally, I will discuss how to manage accounts using this new system.

Login Overview

The login process for a Linux system must first be understood before it can be extended. The process begins with a user entering credentials such as username and password into the login program (step 1). Login uses the PAM abstraction layer to authenticate the user (step 2). Typically, the pam_unix module (step 2.1) is used to compare the password entered by the user to the hash stored in the shadow file (2.2). If no entry exists in the shadow file, the normal login process will fail. However, this environment has Kerberos configured, and the pam_krb5 PAM module (2.3) authenticates the user by obtaining a ticket-granting-ticket from the Kerberos server (2.4