Tone Montone on 25 Aug 2016 10:07:28 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Questions regarding LDAP and AD

Chris,

   Yes, there is an existing domain.  However, not all systems are in it, only Solaris systems appear to work.  Not sure why, I didn't do the implementation.  However, the current system is very old. I think it's an old Sun Netscape Directory Server... it uses an old cert8db database for storing CA certs, and it comes up on a lot of security scans and is no longer patchable.  :)


Thanks,

Mike

On Thu, Aug 25, 2016 at 12:44 PM, Chris Norton <chris@nortoninc.info> wrote:

This is a helluva question. I look forward to the discussion on this.

Is there an existing domain?


On Aug 25, 2016 12:38 PM, "Tone Montone" <tonemontone@gmail.com> wrote:
Hello,

I have an implementation question regarding LDAP and AD. 

I am looking for advice on a path forward for managing user accounts across about 500 Unix systems, which are comprised of  a mixture of RHEL 5 and 6, and Solaris 10 and 11;  There is also some OEL, which is basically RHEL 5, and some Suse sprinkled in.  Currently, we are using local accounts, and I would like to move to a more streamlined/centralized method.

I need a solution that has a support package tied to it, as it's for a government installation and that is a mandatory requirement.  

I was thinking about using Red Hat Directory Server, which is basically 389-DS.  Having the AD server do a one-way sync to the DS, then have all the Unix systems point to the DS.  However, I read that in some instances you can have systems point directly to AD servers and get their authentication directly from the AD, so you don't need an LDAP intermediate server, but I am not sure it will work for all systems/OSes.  e.g. I read that you could use RHEL's IdM (Identity Manager) on RHEL 6, but I don't think this will work on RHEL 5.

I also thought about using LDAP for sudoers file management, as well as storing ssh public keys.

I installed 389-DS to do some testing, and I also looking at FreeIPA because it provides Kerberos, as well as Samba.

Any advice or experience anyone would like to share would be greatly appreciated.

Thanks,

Mike

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug