Neil Neely
2008-12-29 18:57:08 UTC
We're looking at integrating our *nix machines with our AD servers and
are trying to find the "Best" way to do this. In this case I'm
finding my google-fu isn't working in my favor... there is no shortage
of information. Every time I think I have a complete grasp of ways
this can be done I find one more. So there are plenty of resources
for how to do this using technique X, what I really need is some
feedback from people who are further along in this evolution that can
give some perspective on which approach they think is the best.
Disclaimer: I am in the process of learning how these bits fit
together, and if I've said something truly bizarre it is likely out of
ignorance not arrogance so I really would appreciate being pointed in
the right direction.
Relevant background details:
~50 production servers that are centrally managed (unified UID and
passwords) using homegrown syncing - we would like to move these to AD
Already have AD infrastructure in place authenticating staff work
stations (~50 workstations)
The servers exist to support our customers (not staff in general)
These servers do not require shared home directories for staff.
Staff accessing these servers are all performing some task relating to
"administration", though at different levels (tech support through sys
admin).
* primary concern is not securing these machines against it's
legitimate users (so NIS may be acceptable in this environment).
This economy stinks and doing this without any capital expenses is
very important.
Combinations we are seriously considering (in no particular order):
NIS w/Kerberos (via SFU)
Winbind
Likewise Open
We've found various bits and pieces that seemed promising with each of
these approaches. This is our short list of best fit for the problems
we've got, but perhaps we've overlooked something. I would really
appreciate any pro's/con's from the trenches on this topic. "Likewise
Open" seems to be the easiest to install at this point, so is slightly
ahead in our evaluation.
Thanks for your time,
(sidenote: AD is being chosen because it is existing established
infrastructure here that looks like it will do the job we need,
nothing at all against openldap, this is just using the tool that
we've got so we can focus on solving other challenges.)
Neil Neely
http://neil-neely.blogspot.com
are trying to find the "Best" way to do this. In this case I'm
finding my google-fu isn't working in my favor... there is no shortage
of information. Every time I think I have a complete grasp of ways
this can be done I find one more. So there are plenty of resources
for how to do this using technique X, what I really need is some
feedback from people who are further along in this evolution that can
give some perspective on which approach they think is the best.
Disclaimer: I am in the process of learning how these bits fit
together, and if I've said something truly bizarre it is likely out of
ignorance not arrogance so I really would appreciate being pointed in
the right direction.
Relevant background details:
~50 production servers that are centrally managed (unified UID and
passwords) using homegrown syncing - we would like to move these to AD
Already have AD infrastructure in place authenticating staff work
stations (~50 workstations)
The servers exist to support our customers (not staff in general)
These servers do not require shared home directories for staff.
Staff accessing these servers are all performing some task relating to
"administration", though at different levels (tech support through sys
admin).
* primary concern is not securing these machines against it's
legitimate users (so NIS may be acceptable in this environment).
This economy stinks and doing this without any capital expenses is
very important.
Combinations we are seriously considering (in no particular order):
NIS w/Kerberos (via SFU)
Winbind
Likewise Open
We've found various bits and pieces that seemed promising with each of
these approaches. This is our short list of best fit for the problems
we've got, but perhaps we've overlooked something. I would really
appreciate any pro's/con's from the trenches on this topic. "Likewise
Open" seems to be the easiest to install at this point, so is slightly
ahead in our evaluation.
Thanks for your time,
(sidenote: AD is being chosen because it is existing established
infrastructure here that looks like it will do the job we need,
nothing at all against openldap, this is just using the tool that
we've got so we can focus on solving other challenges.)
Neil Neely
http://neil-neely.blogspot.com