[Infrastructures] user management (mixing afs,ldap,kerberos)

Mike mikee@mikee.ath.cx
Thu, 10 Mar 2005 10:21:03 -0600 

On Thu, 10 Mar 2005, Carlson, Scott might have said:

> > My biggest stumbling block is determining the best way to integrate this
> > all into an existing Microsoft Active Directory framework. The University
> > has a deployed Microsoft AD, and so it would be silly to not use it. I've
> > managed to get some LDAP and Krb5 going against it, but my experimentation
> is
> > just beginning on that front. I believe it might boil down to adding
> > Services for Unix to it to extend the schema.
> 
> > Has anybody got any experience in this area? Can you replicate AD into an
> > OpenLDAP, or do you just work directly against AD? Do you put your system
> > users (http, oracle, etc) in AD or have some sort of hierarchy approach
> > where AD feeds OpenLDAP and only OpenLDAP knows about those things?
> 
> > Insight on this would be great.
> 
> 
> We're in the process of rolling out Vintela VAS (http://www.vintela.com) to
> our Unix environment
> (~~1500 active unix hosts) and have had good success at
> integrating the unix hosts into our active directory.  The vendor has
> been _very_ responsive to our issues with the product and has rolled out
> a number of specific patches to meet our identified problems.  It isn't free
> though.  I'm not sure what the list or educational price is, but $100/server
> sounds right, with workstations with < 5 people free.
> 
> A few years ago, we had recommended going with OpenLDAP, but our legal
> department had some problem with the language in the modules we wanted to
> use, so they shot it down.  Now that this is a vendor supported product,
> there are no issues there.  Also, Microsoft is a primary shareholder, or
> investor, or something, so they have good backing.
> 
> Basically, we're implementing this to solve our user administration
> problem because VAS implements itself as a PAM (NSS) Module.  Any user
> that logs into our system will use their AD login id and password.
> We'll still manage applications locally on the box and will not put
> system/application accounts into the active directory.  We have a number
> of applications (like IBM DB2) that rely on existance in the local
> password file to grant permissions in database tables, and we'll also
> look into making sure that my AD enabled username works just like a
> local password entry.  (It's all just a call to getpwent after all....
> Probably....)
> 
> We'll also use the Active Directory resource group concept to manage who
> is allowed to log in to various servers, which makes my auditors VERY
> happy.
> 
> Basically, we'll manage that as follows
> 
> A)  Install VAS on a Unix server and create a Unix server object within
> the active Directory  (server1)
> B)  Create a Resource Group with the name of that server (res_server1)
> C)  Create sub-groups for application ownership (res_myapp)
> D)  Assign individual people and sub-groups into the server resource
> group
> 	(scott.carlson and res_myapp become members of res_server1)
> E)  on the VAS server, modify users.allow to allow res_server1 _ONLY_ to
> log in.
> 
> Ultimately, the only people who are allowed to log in interactively to
> server1 are scott.carlson and the members of res_myapp.
> 
> After all of this, my Active Directory Admin's can administrate access
> for users into my unix environment.  That will take away the management
> of my 8 NIS domains, management of local password files for local users,
> and actually force people to comply with our corporate password
> standards for quality and aging.
> 
> We're also looking to integrate the 'vasypserv' daemon on the boxes and
> create NIS objects within the active directory so that we can automount
> home directories for the users to NAS filers.  As I understand it, that
> basically works as follows
> 
> A)  User Logs in and 'vascd' downloads the user's information from the
> AD, including home directory
> B)  Unix attempts to change to the user's 'home directory'
> C)  the 'nis' entry for automount within the nsswitch.conf tells unix to
> go look in NIS.
> D)  A NIS domain call equal to 'our active directory domain' is
> intercepted by 'vasypsrv' which then passes the query to 'vascd' and
> thus to the active directory for the contents of the NIS LDAP object
> "auto.master and auto.home".
> E)  automount gets what it wants and mounts /home/username to
> nasfiler:/path/to/home/username
> 
> Looks like it will work out pretty slick in the end, and again, we don't
> need to manage local auto.home and auto.master files for over 1000
> different configurations.... And.... My non-unix-admin Active Directory
> administrators can manage it for me, as well as could my provisioning
> tool that one group is building.  
> 
> I really wish that I could use a Unix DFS client to map against my windows
> AD managed DFS Tree (us\home\scott.carlson really maps to
> netappfiler6.somedomain:/some/huge/sub/tree/there).
> 
> We decided to get rid of our AFS infrustructure, mainly because it was
> overkill for what we need.  We're currently relying on an unsupported
> version of IBM AFS and never did get enough people interested to do an
> OpenAFS migration.  Our AFS infrastructure has been rock solid for about 6
> years, but it's sorely unmaintained.  Also, with aproximately 2400 people
> who need a 'shell equivalent' account here, trying to manage that in AFS
> isn't quite what my engineering team signed up for.  Automounting NFS
> probably will be the best bet in the end since no more then 10 people would
> ever log in concurrently to a single machine.
> 
> Scott Carlson

I just noticed these folks are in Lindon, Utah. Any connection to SCO?

Mike