Authentication & Centralized Access Control

Consistent authentication is the foundation of any secure IT infrastructure.
I implement open, centralized identity and authorization systems based on LDAP, Kerberos, and SSSD to connect users, servers, and services in a unified security domain.
This is not just about login, but about consistent access control across operating systems, services, and automation processes. Central authentication reduces complexity, avoids local special solutions, and creates the basis for traceable authorizations, audits, and compliance.
This results in stable access structures that can be automated, audited, and maintained over the long term—regardless of whether they are classic servers, container platforms, or CI/CD environments.

Guard dragon Comeli with stop sign – symbol for authentication and access control.

Architecture & Concepts

I develop authentication concepts that cover both classic user management and service-based access.

The focus is on integrating existing systems—Windows, Linux, web services—into a common login and rights base.

  • LDAP/Kerberos-based user and service authentication
  • Central password and key management
  • Single sign-on (SSO) and central ticket management with Kerberos
  • Integration of web applications via mod_authnz_ldap and mod_auth_kerb
  • Connection of external systems (e.g., Jenkins, Bookstack, Guacamole) to AD or LDAP

Integration & System Connection

I integrate Linux servers and applications into existing Active Directory or Samba AD domains. The goal is to provide uniform and transparent access regardless of the operating system used.

Special focus is placed on stable ID assignments and reproducible configurations so that authentication remains consistent even during migrations and scaling.

  • Samba AD, SSSD, PAM, Winbind
  • Automatic user and group provisioning
  • Rights management via POSIX attributes and ACLs
  • Authenticated mounts and shares (CIFS/NFS with Kerberos tickets)
  • Key-based authentication for automated processes

Automation & Management

Comeli dragon standing next to a desk with an overhead projector displaying diagrams, representing IT automation and system administration.

User and group management is fully automated, versioned, and documented. This ensures that changes remain traceable and access rights consistent across many systems.

Automation not only reduces manual effort, but also minimizes configuration errors and inconsistent permissions in growing environments. Changes to roles, groups, or policies can be rolled out in a reproducible manner and rolled back in a controlled manner if necessary.

  • Ansible roles for provisioning users, groups, and policies
  • Synchronization of LDAP data with applications
  • Automated checking of group rights and roles
  • Documentation in Bookstack / Markdown-based inventories

Security & Compliance

Comeli dragon standing in front of a large stack of books, representing IT security, compliance, and centralized authentication.

Central authentication increases transparency, but also requires clear security policies.

I combine technical hardening with organizational guidelines and regular reviews. The goal is verifiable access control that takes into account both security requirements and operational processes. Compliance is not understood as a one-time measure, but as a continuous process with clearly defined review and escalation mechanisms.

  • Multi-factor authentication (MFA) for privileged access
  • SSH key and certificate management
  • Regular audit and password policy monitoring
  • OpenSCAP-based compliance reports

Trainings

You can find specific trainings and current topics in the Comelio GmbH training catalog.
Available in-house at your company, as a webinar, or as an open training—designed to meet different requirements.

View trainings

Frequently asked questions about Authentication

In this FAQ, you will find the topics that come up most frequently in consultations and training sessions. Each answer is kept brief and refers to further content where necessary. Can’t find your question? Feel free to contact me.

Comeli dragon leans against a ‘FAQ’ sign and answers questions about Authentication.

How do I handle local accounts and legacy access?

Local user accounts are gradually being replaced by central identities. During the transition period, legacy accounts can be limited in time, audited, and secured via sudo/PAM policies until the complete migration is finished.

LDAP, Kerberos, SSSD – how do they work together?

LDAP stores identities/attributes, Kerberos issues tickets for SSO, SSSD connects Linux servers to both, caches login data, and sets policies (sudo/PAM). The result: centralized users, offline logins, uniform rights – without local accounts.

Windows AD or Samba AD – which is right for you?

If you already have a Microsoft ecosystem, AD remains the linchpin (trusts, group policies). For open-source-first environments, Samba AD provides POSIX attributes and Kerberos/LDAP without license restrictions. Important: clean DNS/SRV, ID mapping (rid/ad/autorid), and clear roles.

How can I secure admin access in a pragmatic way?

SSH-CA with short-lived certificates instead of key proliferation, MFA (TOTP/WebAuthn/U2F) on bastions, role-based sudo policies as code, keytab and password rotation, “break-glass” access with audit trail and regular access audits.