Out of the box, most Linux distributions are set up to use local authentication means. This means that a list of users and their passwords (along with additional information) is maintained on the computer that needs authentication. This method works well with a workstation that does not share users with other systems.
However, when a user exists on multiple systems, the “local” method quickly runs out of gas. There are mainly two problems.
To solve this problem, ancient Linux (and Unix) systems have NIS (Network Information Service), or otherwise known as the “Yellow page” system. With NIS, a single server is responsible to maintain the files needed for authentication and user identification purposes. Once a server is running, client machines perform all authentication related operations remotely via a network.
NIS solves the original problems of using local authentication files. But it is not without its own problems. Particularly, NIS has security flaws that are somewhat inherent to its design. If a network and all its computers are trusted, NIS is a fine mechanism. Otherwise, using NIS can mean unnecessary security exposure.
Kerberos (krb) is a very security authentication mechanism originated from MIT. From the stand point of security, krb is one of the best implementation. However, krb is an authentication mechanism, and no more. As such, it cannot replace the local authentication files completely. For example, krb does not store the UID of a user, nor the expiration date of an account, nor group membership information.
LDAP (lightweight directory access protocol) is a protocol designed to user a server-client mechanism to store, retrieve and update “directory” data. In this context, a “directory” is not a directory in a file system, but rather an arbitrary hierarchical lookup table. LDAP has its own method for authentication, but it can also utilize krb for authentication purposes.