Tips and tools, including PowerBroker.
See also
PowerBroker
12/3/13:
- The educational server pricing for the "Enterprise" version is $239 and $47.80 for the annual support.
- The "Open" version is free.
- PBIS Open/Enterprise comparison document.
Oliver's understanding about this software: The free ("Open", vs. "Enterprise") version of BeyondTrust's PowerBroker (PBIS = PowerBroker Identity Services) tool is apparently easy to use, but presents some "name collision" issues here at Cornell for reasons the vendor couldn't explain fully. Perhaps just cripple-ware, even though their tech staff and comparison documentation (linked above) says otherwise? Their fee-based, "Enterprise" software doesn't have this behavior, I understand.
Other resources Oliver has found or heard about
Integrating RHEL With Active Directory
Getting Control of Linux/Unix with Sudo and AD Integration
Webinar: 5/15/2014 11:00:00 AM [(GMT-05:00) Eastern Time (US & Canada)] - Can't make the live event? Register anyway to receive a link to the recording.
Experiences from others on campus:
Original Message:
From: Martin Berggren [mjb43]
Sent: Friday, April 25, 2014 4:35 PM
To: Oliver B. Habicht; gaarder@math---; Martin J. Berggren
Subject: Re: FW: Getting Control of Linux/Unix with Sudo and AD Integration
Hi,
We're using Cornell AD for both authorization and authentication with some extensions through Quest for our Linux hosts. This is part of the mention that engineering is working with Moe on a project. Anyway, this means that there aren't any local accounts on the Linux hosts (RH &Ubuntu) other than the service account that we add. We wanted a way to remotely log on for when there were configuration mistakes. We're using puppet to manage our Linux systems.
martin
=========================
Original Message:
From: On Behalf Of Devin A. Bougie
Sent: Thursday, April 24, 2014 3:17 PM
To: RITMG-L
Subject: Re: Getting Control of Linux/Unix with Sudo and AD Integration
Hi, All. For what it’s worth, at CLASSE we’re using SSSD to authenticate our Scientific Linux 6 systems with our Active Directory domain. We migrated over 200 SL6 systems over night without any reboots or interruptions in service, all using stock software provided in EL6. So far it’s worked very well, other than the pain of moving from an MIT Kerberos domain to what Active Directory provides (losing support for kadmin, etc.).
We’re then using Puppet for configuration management of our Windows and Linux (and eventually OS X) systems.
Devin
On Apr 24, 2014, at 11:15 AM, James I. Vanee <jiv2> wrote:
[...]
> As far as AD integration We have used PBIS (formerly likewise) but there are several problems that we live with for now but want to move. I know there are more native integrations coming from engineering in collaboration with Moe and the AD folks. maybe some of you already use that.
> I'll admit openly that we (I) do not have the discipline to manage using only sudo - I will say that living inside the managed/hosted server environment from CIT will help break old habits.