Stewart, John wrote:
>We've got a bunch of PCs (NT4, 2000, XP) on an NT4 domain (likely to be
>Active Directory at some point soon), some UNIX boxes (Solaris 2.6-9,
>Linux), and various other machines and services that each have their own
>unique user databases.
>
>We'd really like to centralize all of this as much as we can. We'd also like
>to be able to enforce regular password changes (I'm fighting for 180 days,
>the Sarbannes-Oxley auditors may force us to go to something much less - no
>one seems to appreciate the sticky-note-on-monitor problem), as well as
>enforcing "good" passwords, and preventing the re-use of old passwords. Some
>systems have the ability to do some of this individually (NT, UNIX), but
>some have no option at all for enforcing changes.
>
>This all points us towards trying to build something centrally to
>authenticate; we'd love it if we could authenticate as much as possible in
>one place - NT domain, Solaris, Linux, Oracle Applications (ERP), VPN,
>dialin, internal web server, etc...
>
>I'm finding a hard time googling for good resources on the options
>available.
>
>I know when I last worked for the CSL (nearly a *decade* ago... holy crap!),
>Kerberos was fairly newly implemented. Perhaps this an option (but I recall
>it being somewhat painful to implement at the time, and I'm not sure how
>well it can integrate into all of the various systems we've got).
>
>RADIUS, LDAP, Kerberos, etc... surely there is a best-practices guide
>somewhere on what we can do.
>
>Any suggestions?
>
>
>
Pick your flavor of poison, basically. You've got to find the common
denominator, if any, between all the systems, services, and applications
you mention. Oracle, for example, can authenticate against an LDAP
database if it's recent enough. RADIUS front ends to LDAP are feasible
for the network devices that don't grok LDAP directly. Question is then
where do you host the central admin stuff for LDAP? You mention going
to AD, and having Widoz boxes. If that's what your admin situation is
like, then you use that architecture with the ldap posix extensions
which will handle all the unix boxes that can auth against ldap (pam
aware, which covers linux and probably solaris.)
You have too many variables to hope for anything resembling turnkey.
You really need to define the problem set, with all the various
variables, and what the cost/benefit is to acheiving (for example)
single-sign-on across VPN, ERP, and HTTP.
Usenix's LISA conference (in a couple of weeks in Atlanta) has some
courses on this very topic. If you're not a member of LISA, and you're
tackling these problems, I recommend becoming a member. Even if you
can't get to LISA this year and attend the training directly, you can
get access to the proceedings online once you're a member.
http://www.usenix.org
Hope this helps,
--Chan
>thanks!
>
>johnS
>_______________________________________________
>mad-sage mailing list
>mad-sage@xxxxxxxxxxxx
>http://www.mad-sage.org/mailman/listinfo/mad-sage
>
>
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}