2010/3/5 Dumbo Q <dumboq@xxxxxxxxx>: > What do you mean by appropriate authorization and duties? Specifically it's the non-technical portion. In some organizations there are some delineation of duties that preclude some admins from creating IDs. I.e., the Unix administrators may not necessarily have the authorization (in a business sense) to create IDs on some servers. For example, creating IDs on SOX or payroll related systems may have an existing process. The reason I bring it up is that if you currently maintain your own accounts for the Unix systems and you anticipate doing the same once your systems join the domain, then you may need to either relinquish some control or gain more privileges in the domain. And generally, if your organization is large enough to require AD/LDAP then you may already have policies that would need to be modified. This is purely non-technical reason though... > "You also maintain a bit more control over the auth setup." > > What type of control are you referring to? In my organization there are separate administration groups for Windows and Unix/Linux so as Unix admins we do not have access to modify/extend schemas. With a separate Unix LDAP server we would have more control over some aspects of authentication. For example, service based access is not supported/enabled with our particular AD setup. It's particularly useful to Unix though as there are FTP-only accounts that require host-specific configuration to enable (i.e., via ftp virtual users using ftp that is not ldap-aware). As mentioned also, having a separate Unix LDAP can mitigate issues if the AD cluster goes down. This may be a non-issue in your environment but I do know of companies that lost their AD due to user error or hardware failure and it brought down Unix logins also. You can partially mitigate by local caching, but this also has tradeoffs. > We currently have a pile of ad servers, which are critical to the company. > I'm just hesitant to now add multiple RHDS servers on top of that. There > will be at least two production environments, that will need at least 2 RHDS > servers each. Plus test environment, etc. If there is a real benefit to > setting this up, then I'm all for it. But so far it seems like this added > infrastructure will introduce more complexity without giving any additional > benefit. -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
