...

Oliver's understanding about this software: The free ("Open", vs. "Enterprise") version of BeyondTrust's PowerBroker (PBIS = PowerBroker Identity Services) tool is apparently easy to use, but presents some "name collision" issues here at Cornell for reasons the vendor couldn't explain fully. Perhaps just cripple-ware, even though their tech staff and comparison documentation (linked above) says otherwise? Their fee-based, "Enterprise" software doesn't have this behavior, I understand.

Error, and thus limitation, in source code within "Open" found

1/23/17: Chemistry IT reviewed the source code and found the source causing the rare but very real NetID collisions. Instead of 20-bits stored for the user ID, only the first 19-bits are stored. Attempts made to contact the vendor. Also, we're testing out a recompiled version we hand-corrected. (Hard and uncertain outcomes since this limitation has been hard-coded in multiple locations within the code and not abstracted to just on location.)

Chemistry IT's notes regarding alternatives we've heard about in use at Cornell

1/23/17: Some folks on campus have a Boolean value CU AD for "edsvaOIT-IsUnixEnabled" marked as "Yes".

Other resources Oliver has found or heard about

Question: What happens if that person has a *nix system in more than one department? Won't that create a collision regarding home directory storage, etc?

Integrating RHEL With Active Directory

...