Alan Baugher

NIS Replacement by CA Directory

Discussion created by Alan Baugher Employee on Feb 13, 2017
Latest reply on Feb 13, 2017 by Chris_Hackett

Team,

 

I see this question occasionally, on a process to manage the 1000's of Unix/Linux servers.    Some solutions offer integration with MS Active Directory, or 3rd party LDAP servers; others offer a middle ware solution that will directly manage all Unix/Linux servers.

 

I wanted to offer this vetted process, that lower TCO and minimal effort to manage.

 

How to manage 1000's of UNIX/LDAP servers and any multiple structural object classes needed for:

 

- Users

-Groups

-NetGroups

-Sudoer

-etc

 

Enclosed is a process that CA services performed for a customer with 1000's of Unix/Linux servers.

The customer reviewed using other directory solutions, but did choose CA Directory after validation of POC use-cases.

 

We were able to use a mix of:

- CA Directory (as the primary centralized LDAPv3 store for authentication/authorization)

-OS (Unix/Linux) Plugable Authentication Modules (built-in-to the OS) - Configured to use a LDAPv3 server.

- CA Identity Manager - Used to centralized both Identity Management (create,modify, delete) with/without workflows & centralized password reset. 

 

Note:   Password reset to any LDAPv3 server that acts as a "NIS favored" server, must update two (2) attributes:    userPassword & shadowLastChange (Epoch date)

 

Please review the below deck and forward any questions.

 

 

Edit:   1/30/2018   -   Add attachment that shows three (3) CX connectors to the three (3) structural objectClasses.

Outcomes