Advantage to synching with AD?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

2010/3/5 Dumbo Q <dumboq at yahoo.com>:
> What do you mean by appropriate authorization and duties?

Specifically it's the non-technical portion. In some organizations
there are some delineation of duties that preclude some admins from
creating IDs. I.e., the Unix administrators may not necessarily have
the authorization (in a business sense) to create IDs on some servers.
For example, creating IDs on SOX or payroll related systems may have
an existing process.

The reason I bring it up is that if you currently maintain your own
accounts for the Unix systems and you anticipate doing the same once
your systems join the domain, then you may need to either relinquish
some control or gain more privileges in the domain. And generally, if
your organization is large enough to require AD/LDAP then you may
already have policies that would need to be modified.  This is purely
non-technical reason though...

> "You also maintain a bit more control over the auth setup."
>
> What type of control are you referring to?

In my organization there are separate administration groups for
Windows and Unix/Linux so as Unix admins we do not have access to
modify/extend schemas.

With a separate Unix LDAP server we would have more control over some
aspects of authentication. For example, service based access is not
supported/enabled with our particular AD setup. It's particularly
useful to Unix though as there are FTP-only accounts that require
host-specific configuration to enable (i.e., via ftp virtual users
using ftp that is not ldap-aware).

As mentioned also, having a separate Unix LDAP can mitigate issues if
the AD cluster goes down. This may be a non-issue in your environment
but I do know of companies that lost their AD due to user error or
hardware failure and it brought down Unix logins also.  You can
partially mitigate by local caching, but this also has tradeoffs.

> We currently have a pile of ad servers, which are critical to the company.
> I'm just hesitant to now add multiple RHDS servers on top of that.?? There
> will be at least two production environments, that will need at least 2 RHDS
> servers each.? Plus test environment, etc.?? If there is a real benefit to
> setting this up, then I'm all for it.? But so far it seems like this added
> infrastructure will introduce more complexity without giving any additional
> benefit.
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux