[Infrastructures] user management (mixing afs,ldap,kerberos)

[Carlson, Scott]

> My biggest stumbling block is determining the best way to integrate this
> all into an existing Microsoft Active Directory framework. The University
> has a deployed Microsoft AD, and so it would be silly to not use it. I've
> managed to get some LDAP and Krb5 going against it, but my experimentation
is
> just beginning on that front. I believe it might boil down to adding
> Services for Unix to it to extend the schema.

> Has anybody got any experience in this area? Can you replicate AD into an
> OpenLDAP, or do you just work directly against AD? Do you put your system
> users (http, oracle, etc) in AD or have some sort of hierarchy approach
> where AD feeds OpenLDAP and only OpenLDAP knows about those things?

> Insight on this would be great.


We're in the process of rolling out Vintela VAS (http://www.vintela.com) to
our Unix environment
(~~1500 active unix hosts) and have had good success at
integrating the unix hosts into our active directory.  The vendor has
been _very_ responsive to our issues with the product and has rolled out
a number of specific patches to meet our identified problems.  It isn't free
though.  I'm not sure what the list or educational price is, but $100/server
sounds right, with workstations with < 5 people free.

A few years ago, we had recommended going with OpenLDAP, but our legal
department had some problem with the language in the modules we wanted to
use, so they shot it down.  Now that this is a vendor supported product,
there are no issues there.  Also, Microsoft is a primary shareholder, or
investor, or something, so they have good backing.

Basically, we're implementing this to solve our user administration
problem because VAS implements itself as a PAM (NSS) Module.  Any user
that logs into our system will use their AD login id and password.
We'll still manage applications locally on the box and will not put
system/application accounts into the active directory.  We have a number
of applications (like IBM DB2) that rely on existance in the local
password file to grant permissions in database tables, and we'll also
look into making sure that my AD enabled username works just like a
local password entry.  (It's all just a call to getpwent after all....
Probably....)

We'll also use the Active Directory resource group concept to manage who
is allowed to log in to various servers, which makes my auditors VERY
happy.

Basically, we'll manage that as follows

A)  Install VAS on a Unix server and create a Unix server object within
the active Directory  (server1)
B)  Create a Resource Group with the name of that server (res_server1)
C)  Create sub-groups for application ownership (res_myapp)
D)  Assign individual people and sub-groups into the server resource
group
	(scott.carlson and res_myapp become members of res_server1)
E)  on the VAS server, modify users.allow to allow res_server1 _ONLY_ to
log in.

Ultimately, the only people who are allowed to log in interactively to
server1 are scott.carlson and the members of res_myapp.

After all of this, my Active Directory Admin's can administrate access
for users into my unix environment.  That will take away the management
of my 8 NIS domains, management of local password files for local users,
and actually force people to comply with our corporate password
standards for quality and aging.

We're also looking to integrate the 'vasypserv' daemon on the boxes and
create NIS objects within the active directory so that we can automount
home directories for the users to NAS filers.  As I understand it, that
basically works as follows

A)  User Logs in and 'vascd' downloads the user's information from the
AD, including home directory
B)  Unix attempts to change to the user's 'home directory'
C)  the 'nis' entry for automount within the nsswitch.conf tells unix to
go look in NIS.
D)  A NIS domain call equal to 'our active directory domain' is
intercepted by 'vasypsrv' which then passes the query to 'vascd' and
thus to the active directory for the contents of the NIS LDAP object
"auto.master and auto.home".
E)  automount gets what it wants and mounts /home/username to
nasfiler:/path/to/home/username

Looks like it will work out pretty slick in the end, and again, we don't
need to manage local auto.home and auto.master files for over 1000
different configurations.... And.... My non-unix-admin Active Directory
administrators can manage it for me, as well as could my provisioning
tool that one group is building.  

I really wish that I could use a Unix DFS client to map against my windows
AD managed DFS Tree (us\home\scott.carlson really maps to
netappfiler6.somedomain:/some/huge/sub/tree/there).

We decided to get rid of our AFS infrustructure, mainly because it was
overkill for what we need.  We're currently relying on an unsupported
version of IBM AFS and never did get enough people interested to do an
OpenAFS migration.  Our AFS infrastructure has been rock solid for about 6
years, but it's sorely unmaintained.  Also, with aproximately 2400 people
who need a 'shell equivalent' account here, trying to manage that in AFS
isn't quite what my engineering team signed up for.  Automounting NFS
probably will be the best bet in the end since no more then 10 people would
ever log in concurrently to a single machine.

Scott Carlson