[ale] Mixed environments, central authentication, and central user management?

Damon L. Chesser damon at damtek.com
Thu Oct 30 22:04:29 EDT 2014


On 10/30/2014 11:09 AM, Lightner, Jeff wrote:
>
> I haven’t used it myself but if I were going in this direction I’d 
> probably engage Centrify.    They did presentations at both AUUG and 
> ALE and most of the folks at both those presentations seemed to think 
> it was a good solution.
>
> http://www.centrify.com
>
> Of course that’s a commercial solution but you’re paying for RHEL & 
> Windows anyway.   Their web site shows a TryIt/BuyIt for a 30 day eval.
>
> If not going commercial I’d probably investigate Samba for the Linux 
> side of things.
>

I for one do not like Centrify.  We use it.  It replaces ssh and at 
least ssl with it's own packages.  downside:  no one can use a "console" 
such as single user mode because you are not up and networked.  At least 
we can't the way we are set up.  Most unsatisfying.  Aside from that, 
Centrify does work.  We ran into one app that the web authentication 
would not work with the swapped out libs/packages.  Just one.  RH IDM is 
a fraction of the cost (for us).  Check with your RH rep, you may have 
access to IDM by virtue of the RHEL subscriptions, again, we do.  Not 
that that stopped us from deploying the hated Centrify.  Windows weenies 
trying to solve a Linux problem.
>
> *From:*ale-bounces at ale.org [mailto:ale-bounces at ale.org] *On Behalf Of 
> *James Sumners
> *Sent:* Thursday, October 30, 2014 10:48 AM
> *To:* Atlanta Linux Enthusiasts - Yes! We run Linux!
> *Subject:* [ale] Mixed environments, central authentication, and 
> central user management?
>
> I administer RHEL systems in an environment that is primarily managed 
> by a Windows domain. That is, Active Directory (AD) controls 
> usernames, passwords, and all that jazz. I have my RHEL systems 
> _authenticating_ against AD but that's it. I don't pull user ids, 
> group ids, shells, group memberships, or anything else out of AD. I'm 
> at the point where I want to move in that direction, though. And 
> that's where I'd like some input from the list...
>
> I can work with the AD administrator to get whatever attributes added 
> that I need to make such a scenario work. But I wonder if that's worth 
> it. Would it be better to setup a vanilla LDAP server specifically 
> manage the RHEL users? If I did that, would I be able to pass the 
> authentication along to the AD server but get the details out of the 
> LDAP server? Or should I setup a Kerberos server that communicates 
> with AD in addition to the LDAP server?
>
> What are you guy's experience in this regard? How did you solve this 
> problem?
>
> -- 
> James Sumners
> http://james.roomfullofmirrors.com/
>
> "All governments suffer a recurring problem: Power attracts 
> pathological personalities. It is not that power corrupts but that it 
> is magnetic to the corruptible. Such people have a tendency to become 
> drunk on violence, a condition to which they are quickly addicted."
>
> Missionaria Protectiva, Text QIV (decto)
> CH:D 59
>
> Athena®, Created for the Cause™
>
> Making a Difference in the Fight Against Breast Cancer
>
> _________________________________________________________
>
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged
>
> or confidential information and is for the sole use of the intended
>
> recipient(s). If you are not the intended recipient, any disclosure,
>
> copying, distribution, or use of the contents of this information
>
> is prohibited and may be unlawful. If you have received this electronic
>
> transmission in error, please reply immediately to the sender that
>
> you have received the message in error, and delete it. Thank you.
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-- 
Damon at damtek.com
404-271-8699

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20141030/0a1d88a9/attachment.html>


More information about the Ale mailing list