Ok guys, put your OS bigotry aside for a moment, and think this through.
All large enterprises inherently have an extensive Active Directory infrastructure to services from simply consolidated management of Windows Servers, to managing the user accounts of your employees on their workstations and shared storage, to providing authentication to VPN and applications. We have all invested heavily on redundancy and security, following Microsoft's guidelines and practises for managing this Enterprise Directory Service.
All large enterprises also have extensive UNIX or Linux implementations in the data centre. Some enterprises are now finding out about the features and functionality that a Apple MAC workstation can bring to the front office. Yes, UNIX Directory Services are also decades old, but to date most UNIX systems are typically managed with their own /etc/passwd: /etc/group user stores. Separate profiles are maintained per server, making provisioning or worse *deprovisioning* a bit of a nightmare.
Imagine the ability to enforce user id synchronization across ALL of your systems, not just Windows! Imagine being able to update a password policy or "Business Use" message across all systems and users... Not just Windows. Imaging having all of your security logging and reporting in one place! Imagine being able to offload "user management" from your UNIX sysadmins!
Active Directory is arguably the most prevalent Network Directory Service on the planet. It has matured significantly over the past 20 some odd years, and provides a more robust and secure Enterprise Directory Service than NIS or raw LDAP.
AD facilitates management of host devices as well as user and service accounts on them. An Active Directory Domain controller can provide DNS/DHCP and NTP time services with simple intuitive GUI interfaces. Business Continuity or Disaster Recovery are inherent in it's redundant replication design. It is extensible, and more importantly had strong provisions for auditing and logging. Active Directory Group Policy management is fully supported for both UNIX hosts and users in most commercial integration suites.
For the past dozen years or so, I have been watching the various vendors in the UNIX space that provide Active Directory integration, and they have all come a long way. They have all taken the burden out of what used to be a very painful, full day exercise, to enroll a UNIX server into AD. They have also made it relatively easy to synchronize users in the UNIX system with their associated Active Directory accounts.
Today, the process of enrolling a UNIX server into Active Directory is as easy as finding the UNIX host in the Management console of your favorite tool (I'll get into the players in this space shortly), validating that the ssh is installed on the HOST, and that you have enough privilege to install the kerberos authentication module, and that the HOST can reach the directory service through the standard MS AD ports.
You then confirm that you want the machine to "join" the domain, and it will automatically be placed into the appropriate OU for UNIX servers in your AD structure. You can then select how you want user accounts to me merged/migrated with Active Directory.
The easiest way is to associate your users' Windows credentials with their user account in UNIX. This simple, guided process is launched the first time a user authenticates to the UNIX platform after enrollment. They will be asked for their UNIX credentials first, then asked to valide that the Active Directory account provided is accurate. They will then be asked to validate their Active Directory credentials. From this point forward, when that user logs into the UNIX machine, they will be authenticating back to the AD store, and all logon/logoff, and password reset functionality will be provided for by the Enterprise Active Directory.
The next step is migrating your UNIX groups into Active Directory. In a similar process, you can migrate entire UNIX groups over to your Active Directory, or alternately find an existing Security Group within Active Directory and merge the two.
Take advantage of the Infrastructure you already own and manage, while reducing your UNIX Identity and Access Management workload.
Here, in no particular order, are the products that will open this rich world of administration bliss:
Coming soon to your favorite blog (This one of course!) Replace your Windows Domain Controllers with CENTOS/SAMBA4 and never look back!
http://www.interopsystems.com/learningcenter/Native_LDAP_native_Kerberos_and_AD_services.htm
Great blog created by you. I read your blog, its best and useful information. You have done a great work. Super blogging and keep it up. Active Directory Migration
ReplyDelete