Why managing user account information might be a problem
In a cross-platform environment, you are likely to have multiple identity stores that might have overlapping or conflicting information about the user population. You might also have several different authentication methods—with varying degrees of security—that you are required to manage. For example, in a typical environment with a mix of Linux and UNIX computers, you might have to maintain any combination of the following authentication methods:
- Local configuration files on individual UNIX servers and workstations to identify local users and groups.
- NIS or NIS+ servers and maps to store account and network information for groups of UNIX servers and workstations.
- Kerberos realms and a Key Distribution Center to provide authentication for some users and services.
- Lightweight Directory Access Protocol services to support LDAP queries and responses.
Managing all of these services separately can be costly and inefficient. In addition, users who have access to more than one application or computer platform often have to remember multiple login accounts with conflicting user name or password policy requirements. Individual applications might also require the use of a specific authentication method. For example, a database application or a web service might require users to have a database- or application-specific account.
If you have an environment where user and group account information is stored in multiple locations rather than in a single repository, it is likely that you have overlapping, conflicting, or out-of-date information about who should have access to the computers in your organization. You might also be using less secure authentication and authorization services than required, if you are relying on local configuration files or NIS servers and maps. For example, if you are in an organization that is subject to regulatory compliance, an audit might require you to improve the security of the authentication and authorization services you use.