SEO

Hi

I need to build a small network soon.
I want to use OpenBSD for that, but I'll need some ideas about one major
thing: users authentication and information.
The network will have a LAN and a DMZ.
I would like all servers and workstations to authenticate to the same user
base.
I though about NIS, but it really is a no-go on the DMZ because of the
security and flood, and I don't even speak about letting everything passes
between DMZ and LAN (since NIS opens random ports).
What do you guys do for centralizing user authentication under those kind of
setups ?
Some people already told me to use rdist/rsync/cfengine, but I don't like
the idea to have the _same_ master.passwd everywhere, this would mean that
the root password will be the same on all servers and can introduce
problems like, if the system users are different (like it can happen
between OpenBSD releases), or if I create a system user under one server
(like the ldap user), it has to be on all too .
Basically, I'm looking for something to deal with users only (passwords and
other info such as homedir...).

Right now, my temporary solution would be to use NIS+Kerberos over IPsec,
but:
- kerberos does not work with everything
- IPsec is slow for a LAN
- NIS slave in the DMZ will need to access the master on the LAN

I would appreciate any pointers, ideas, documentations...
I still have the time to test different things...

Thanks in advance and Happy New Year.

Regards,

Antoine