Re: [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment

[Richard Chycoski <rskiadmin@xxxxxxxxxxxx>]

Nathan Hruby wrote:
> On Jan 15, 2008 5:50 AM, Erling Ringen Elvsrud <erlingre@xxxxxxxxx> wrote:
>   
> > Hello list,
> >
> > I work for a fairly large organization and will probably  be involved
> > in planning, installing and maintaining
> > a LDAP based directory service this year. The directory will be
> > mainly used to authenticate developers and systems administrators that
> > need to access RH Linux servers  (and also maybe HP-UX in the future).
> > Microsoft AD is used elsewhere in the organization to authenticate
> > users of Windows based desktop computers. The best solution  would
> > be to use AD to authenticate users of Unix computers as well, but I'm
> > not sure if it is possible to make that solution work.
> >     
>
> Depending on your AD forest and how willing your AD admins are to
> working with you, this is a perfectly viable option.  Samba offers the
> winbind daemon which can talk to AD, and in AD 2003-r2 they've fixed a
> good number of the compatibility issues between windows and
> non-windows hosts.  There are also several companies that offer
> integration solutions for Unix+AD.
>
> I'll warn against "having another directory" unless you plan to keep
> the two in-sync.  Multiple identity stores in a large organization
> never ends up helping.
>
> Here are a few links that may (or may not) be helpful:
> - http://www.quest.com/landing/?ID=1025&AdCode=GoogleAdTextADtoUnixLinuxJava06052007
> - http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/
> - http://gentoo-wiki.com/HOWTO_Active_Directory_with_Samba_and_Winbind
>
> -n
>   
If you're looking at Unix system authentication, rather than just Samba 
or Apache authentication, there are three main products at this point 
that will authenticate Linux systems against an AD server, with "full AD 
membership". They are OpenLDAP <http:www.padl.com>, Quest's Vintela 
Authentication Services 
<http://www.quest.com/Vintela-Authentication-Services> and Centrify 
Direct Control <http://www.centrify.com/directcontrol/overview.asp>.

Which to choose depends on the size of your organisation (number of 
computers, number of user accounts, how intensively you use Unix groups 
and/or netgroups), what kind of support your organisationi requires, 
and, of course - your budget.

The advantages of going this route include full AD access/integration 
and better AD security - you don't have to expose your AD infrastructure 
to an untrusted 'guest' account.

The downside (for some people) - you have to manage your Unix accounts 
in AD. I actually considered this to be a plus because it meant that I 
could foist off the managing of the accounts to another team. :-)


- Richard