Before you laugh at me and say, "If you want Active Directory, use Windows" or tell me to use Google, hear me out.
My company relies very heavily on AD. Nay, we are married to it at this point, and as a Fortune 10 company, that's not changing. However, we have a lot of *nix systems in our environment (mostly RHEL and SLES), and I have yet to find a good mechanism for integrating with Active Directory as an identity source. At the very least, I need something to provide the following:
- Authentication via AD credentials (letting a user in the door)
- Authorization once authenticated (granting a user access to areas of the system)
- Audit (being able to tie user actions back to their AD credentials)
- Support for AD groups (not just vanilla LDAP and having to add/remove individual users on systems)
- Not a duplicate/mirrored identity source based on a trust of AD (I don't need two huge systems)
The top solutions that I have found are as follows:
- Centrify
- PowerBroker Open (PBIS Open, formerly Likewise-Open)
- SSSD+SELinux
Centrify . . . is just ugly. I've never been a real fan. Also, for my company's needs, we can't use Centrify-Express, so it's not free, and there's no unlimited license. However, it's the best solution that we've found, and I'm desperate to find something else.
PBIS Open is what I'm leaning toward. It's what VMware uses in the backend of vShield, and it works pretty well. It only requires a few commands to get set up, it supports AD groups, and there's no secondary identity management system - it talks directly to AD. The only reason for me not going that route is that I like native solutions, and if there's a better way to do it that is already included in modern distros, I'm all for it.
SSSD+SELinux sounded great. It's nasty to set up, but it's flexible, native, and supported by most modern distros. The only thing it lacks (from what I understand) is support for AD groups. Many articles suggest leveraging FreeIPA or something similar to add this functionality, but upon further reading, this violates requirement 5 and basically creates a middle-man identity service. I'm not interested in basically duplicating AD or setting up trust to a secondary identity service.
Other kludge options I've tossed around include using Puppet (which we use) to push out /etc/password,shadow,group files to endpoints, but that requires development, it's incredibly indirect, and I could see something going south badly. A better option would be adding SSSD+SELinux to the Puppet idea. While it would simplify the disaster, it's still a disaster.
What am I missing, what are you using, and what is the "new hotness" that I haven't accounted for to solve the Linux AD integration headache?
No comments:
Post a Comment