Alan Baugher

NIS Replacement by CA Directory

Discussion created by Alan Baugher Employee on Feb 13, 2017
Latest reply on Feb 13, 2017 by Chris_Hackett



I see this question occasionally, on a process to manage the 1000's of Unix/Linux servers.    Some solutions offer integration with MS Active Directory, or 3rd party LDAP servers; others offer a middle ware solution that will directly manage all Unix/Linux servers.


I wanted to offer this vetted process, that lower TCO and minimal effort to manage.


How to manage 1000's of UNIX/LDAP servers and any multiple structural object classes needed for:


- Users






Enclosed is a process that CA services performed for a customer with 1000's of Unix/Linux servers.

The customer reviewed using other directory solutions, but did choose CA Directory after validation of POC use-cases.


We were able to use a mix of:

- CA Directory (as the primary centralized LDAPv3 store for authentication/authorization)

-OS (Unix/Linux) Plugable Authentication Modules (built-in-to the OS) - Configured to use a LDAPv3 server.

- CA Identity Manager - Used to centralized both Identity Management (create,modify, delete) with/without workflows & centralized password reset. 


Note:   Password reset to any LDAPv3 server that acts as a "NIS favored" server, must update two (2) attributes:    userPassword & shadowLastChange (Epoch date)


Please review the below deck and forward any questions.



Edit:   1/30/2018   -   Add attachment that shows three (3) CX connectors to the three (3) structural objectClasses.