|
Home > Archive > Unix administration > July 2007 > Looking for a centralized password setup for UNIX and Linux
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Looking for a centralized password setup for UNIX and Linux
|
|
| derekbarrett@gmail.com 2007-06-20, 7:29 pm |
| Hi everybody,
I wanted to get everybody's feedback regarding centralized password
management. Our environment has grown from a few admins to many. We
have gone from a Solaris shop to one that includes lots of Solaris and
Linux. We were using manual password changes per box, then moved to
shell scripting. However we have outgrown this as our passwords are
now often out of sync, as different admins are changing passwords at
different times, and new servers are being added frequently, and are
in different stages of development, etc. On top of this is meeting
Sarbanes-Oxley rules
We are looking at a centralized tool that is straightforward to
update, that can push out passwords across all the environments.
Some suggestions so far have been: LDAP, NIS, Kerberos, and Active
Directory plugins (not really liking the AD suggestion)
Concerns:
1) We don't want to get in a situation where if the password
management server has become unavailable, users are not able to login.
2) We want something that's straight forward to update and isn't
married to one particular admin's knowledge of language (like Perl,
etc).
Thanks for anybody's feedback
| |
| Michael Vilain 2007-06-21, 7:23 am |
| In article <1182364390.331963.63080@d30g2000prg.googlegroups.com>,
derekbarrett@gmail.com wrote:
> Hi everybody,
>
> I wanted to get everybody's feedback regarding centralized password
> management. Our environment has grown from a few admins to many. We
> have gone from a Solaris shop to one that includes lots of Solaris and
> Linux. We were using manual password changes per box, then moved to
> shell scripting. However we have outgrown this as our passwords are
> now often out of sync, as different admins are changing passwords at
> different times, and new servers are being added frequently, and are
> in different stages of development, etc. On top of this is meeting
> Sarbanes-Oxley rules
>
> We are looking at a centralized tool that is straightforward to
> update, that can push out passwords across all the environments.
>
> Some suggestions so far have been: LDAP, NIS, Kerberos, and Active
> Directory plugins (not really liking the AD suggestion)
>
> Concerns:
First off, how many machines are you talking about right now? How many
in 6 months? 1 year? 2 years?
What level of "granularity" do you need for authentication? Do you have
specialized environments the define groups of users? How do you keep
the accounting/finance systems truly private? What type of logging do
you do and how do you keep those logs? Backups? Disaster recover?
I'm no SOX specialist (before my time), but you really have two issues
here. Following the SOX rules and setting up an authentication
mechanism that complies with it. You may want to hire a SOX specialist
to give you advise or send someone to training. Auditability is
something that may be an issue. Solaris has auditing features that work
with SOX. Don't know about Linux. Would you convert to Solaris X86 to
comply with SOX auditing requirements?
>
> 1) We don't want to get in a situation where if the password
> management server has become unavailable, users are not able to login.
How critical is this requirement? No, really (as in "show me the
money")? This requirement puts this project into a whole new playing
field. Is it important enough to stage multiple, redundant servers
throughout the the enterprise (say, one on each network segment or every
couple of segments)? They don't have to be big, just a PC running the
same OS as the main authentication server. Just a warning, I've seen
posts for people complaining about a "mixed" environment (Linux and a
commercial UNIX vendor). It may be best to go with all Solaris NIS or
LDAP servers.
NIS can have multiple slave servers scattered across network segments.
NIS has been around a long time and is fairly easy to setup. Don't even
think about NIS+. Sun doesn't even use it any more, AFAIK. Don't know
about auditing changes to the various maps and how well it plays with
Linux clients. Some Linux kernel's NFS was just plain broken. Using
Solaris for NFS servers with Linux clients seemed to be OK. How well
will Linux clients do audit changes to NFS-mounted files if that's
required by SOX?
LDAP is a long-term project (think 6 months to a year). At my last
contract we only had a single LDAP server with no mirror and I don't
know much about it. You may end up sending someone to class on this or
hiring someone to help with LDAP if you go this route.
>
> 2) We want something that's straight forward to update and isn't
> married to one particular admin's knowledge of language (like Perl,
> etc).
>
> Thanks for anybody's feedback
Rolling your own is going to be tricky and it will require maintenance
from development to decommissioning. I don't know how well staffed you
are or your implementation timeline. I wouldn't expect this to be a
quick and easy thing as you have some fairly high level decisions to
make. SOX adds to this issue. Find some SOX help FAST.
Any way you slice it, to me this is looking like a 6-12 month project.
But that won't stop the PHBs from saying "you have 2 months to
production when the auditors get here". In that case, you gotta ask the
question "Gotta life?", 'cause you won't a while...
--
DeeDee, don't press that button! DeeDee! NO! Dee...
| |
| devonab@gmail.com 2007-07-01, 1:19 pm |
| On Jun 20, 2:33 pm, derekbarr...@gmail.com wrote:
> Hi everybody,
>
> I wanted to get everybody's feedback regarding centralized password
> management. Our environment has grown from a few admins to many. We
> have gone from a Solaris shop to one that includes lots of Solaris and
> Linux. We were using manual password changes per box, then moved to
> shell scripting. However we have outgrown this as our passwords are
> now often out of sync, as different admins are changing passwords at
> different times, and new servers are being added frequently, and are
> in different stages of development, etc. On top of this is meeting
> Sarbanes-Oxley rules
>
> We are looking at a centralized tool that is straightforward to
> update, that can push out passwords across all the environments.
>
> Some suggestions so far have been: LDAP, NIS, Kerberos, and Active
> Directory plugins (not really liking the AD suggestion)
>
> Concerns:
>
> 1) We don't want to get in a situation where if the password
> management server has become unavailable, users are not able to login.
>
> 2) We want something that's straight forward to update and isn't
> married to one particular admin's knowledge of language (like Perl,
> etc).
>
> Thanks for anybody's feedback
i personally like the ldap solution. you can run the sun ldap server
(actually bundled with solaris10) in a multi-master configuration (up
to 4 nodes i think) to address your availability concerns. linux also
supports ldap authentication and integrates nicely with the solaris
config. sun has some decent blueprint articles on their website
covering how to setup ldap naming services.
| |
| derekbarrett@gmail.com 2007-07-03, 1:20 am |
| > i personally like the ldap solution. you can run the sun ldap server
> (actually bundled with solaris10) in a multi-master configuration (up
> to 4 nodes i think) to address your availability concerns. linux also
> supports ldap authentication and integrates nicely with the solaris
> config. sun has some decent blueprint articles on their website
> covering how to setup ldap naming services.
I got alot of responses, both public and private on this one. It's
very much appreciated. We are leaning towards LDAP, either OpenLDAP or
the Sun bundled one also.
Thanks!
|
|
|
|
|