BruceWestbrook
asked on
Centrally Manage Linux Accounts
I have 20 linux servers, a mix of Red Hat, CentOS (ie. Red Hat), Ubuntu, and potentially other distros in the future. Half of these reside in various DMZs, the other half internally.
Currently we manage all 20 servers as separate devices - no centralized user management.
I need to move to some type of central user management that includes strong auditing for any root level access either directly with root accounts or through escalation of privileges (SU / SUDO).
The caveat here is that my DMZ boxes should have no direct connection to my internal network. Instead, the centralized management of users, passwords, and audit logs needs to come from the central internal box and reach out to the DMZ.
This means no NIS+, no LDAP, etc. as the local boxes cannot check a central directory. Instead, each local box must have a local store of the credential database and authenticate against their individual local store.
I found one product so far that meets my needs. It is PowerBroker from Symark. It works great for what I need. However, it's extremely expensive. To implement this product on 20 servers I'm looking at more then $60k. Kind of hard to express that fact to management when we're moving our boxes into free open-source and away from paid distros like Red Hat as a cost savings initiative.
So I'm looking for a product that meets my needs like PowerBroker does, but at some fraction of that cost.
Any ideas? What do other people use to centrally manage Linux boxes - other then some directory service?
Currently we manage all 20 servers as separate devices - no centralized user management.
I need to move to some type of central user management that includes strong auditing for any root level access either directly with root accounts or through escalation of privileges (SU / SUDO).
The caveat here is that my DMZ boxes should have no direct connection to my internal network. Instead, the centralized management of users, passwords, and audit logs needs to come from the central internal box and reach out to the DMZ.
This means no NIS+, no LDAP, etc. as the local boxes cannot check a central directory. Instead, each local box must have a local store of the credential database and authenticate against their individual local store.
I found one product so far that meets my needs. It is PowerBroker from Symark. It works great for what I need. However, it's extremely expensive. To implement this product on 20 servers I'm looking at more then $60k. Kind of hard to express that fact to management when we're moving our boxes into free open-source and away from paid distros like Red Hat as a cost savings initiative.
So I'm looking for a product that meets my needs like PowerBroker does, but at some fraction of that cost.
Any ideas? What do other people use to centrally manage Linux boxes - other then some directory service?
ASKER
I don't like the idea of having a directory server inside my DMZ, but it's a possibility to consider if nothing better comes along.
You're saying I can push LDAP updates from my internal master to a slave LDAP in the DMZ without requiring the DMZ server to check in with the Internal server? A one-way update?
(forgive me if that's a basic question - I've not setup LDAP on Linux before)
You're saying I can push LDAP updates from my internal master to a slave LDAP in the DMZ without requiring the DMZ server to check in with the Internal server? A one-way update?
(forgive me if that's a basic question - I've not setup LDAP on Linux before)
The core OpenLDAP doc. in on:, the one refereced before is from an older subset.
http://www.openldap.org/doc/admin24/
Chapter 18 is about replication
http://www.openldap.org/doc/admin24/replication.html
In the recent OpenLdap appearantly the slurpd tool has been replaced by the syncrepl mechanism
Please read that chapter 18.
It is possible to restrict the exportable data to only a subset of the whole LDAP tree. (par 18.3.1.3)
Within this openldap doc also is a quicksetup.
If you are using a distribution like RHEL, use the openldap delivered there and continue from configuration.
http://www.openldap.org/doc/admin24/
Chapter 18 is about replication
http://www.openldap.org/doc/admin24/replication.html
In the recent OpenLdap appearantly the slurpd tool has been replaced by the syncrepl mechanism
Please read that chapter 18.
It is possible to restrict the exportable data to only a subset of the whole LDAP tree. (par 18.3.1.3)
Within this openldap doc also is a quicksetup.
If you are using a distribution like RHEL, use the openldap delivered there and continue from configuration.
ASKER
Has no one else come across another solution or a competitor to this PowerBroker software?
I appreciate the thoughts on LDAP Noci, but that only meets the goal of centralized account management. Although looking back at my original question I notice now that I left out a critical aspect. That is that I'm looking for a way to easily audit privileged or root level access. PowerBroker does this in spades, but there must be some competitor or solution that does the same type of thing.
Anyone?
I appreciate the thoughts on LDAP Noci, but that only meets the goal of centralized account management. Although looking back at my original question I notice now that I left out a critical aspect. That is that I'm looking for a way to easily audit privileged or root level access. PowerBroker does this in spades, but there must be some competitor or solution that does the same type of thing.
Anyone?
pam does mention in accounting who logs on or off, su & sudo allways use pam to check access, so you can add audit rules to scripts.
Auditing is a part of the kernel nowadays.
Auditing is a part of the kernel nowadays.
ASKER
I understand that and use the various embedded linux tools to perform auditing and security controls on stand alone boxes today. That's great for 1, 2 or just a few boxes.
What I'm looking for is something much more scalable that can be centrally managed and controlled. With 20 servers today and more coming in the future, managing user authentication and auditing individually is a huge pain.
I want something that do all this centrally, without a lot of heavy lifting to get up and running. PowerBroker does this. I found another product by Quest called Unix Pivilege Manger that I'm just now looking into. Not sure what the cost is on that product yet.
My question is really one of finding an open source way to accomplish the same thing as these commercial tools.
Not sure whether I clarified my question or not. :-)
What I'm looking for is something much more scalable that can be centrally managed and controlled. With 20 servers today and more coming in the future, managing user authentication and auditing individually is a huge pain.
I want something that do all this centrally, without a lot of heavy lifting to get up and running. PowerBroker does this. I found another product by Quest called Unix Pivilege Manger that I'm just now looking into. Not sure what the cost is on that product yet.
My question is really one of finding an open source way to accomplish the same thing as these commercial tools.
Not sure whether I clarified my question or not. :-)
Ok,
Here is a document that i think describes what you mean it contains reference to several tools & libraries...
http://gate-test.library.lse.ac.uk:8080/dspace/bitstream/1988/2805/1/sm-mg_SignetGrouper_briefing.doc
Separate tools:
http://middleware.internet2.edu/signet/
http://middleware.internet2.edu/dir/groups/grouper/
http://sec.cs.kent.ac.uk/permis/
http://www.openpermis.org/
http://www.angel.ac.uk/PERSEUS/
Of which perseus & signet seem to be closed as they reached their goal.
Other implementation of Role Based Access Management is f.e. SELinux
When using syslog, you can log records to a central server.
But there is otherwise no known application (to me) that handles this.
Here is a document that i think describes what you mean it contains reference to several tools & libraries...
http://gate-test.library.lse.ac.uk:8080/dspace/bitstream/1988/2805/1/sm-mg_SignetGrouper_briefing.doc
Separate tools:
http://middleware.internet2.edu/signet/
http://middleware.internet2.edu/dir/groups/grouper/
http://sec.cs.kent.ac.uk/permis/
http://www.openpermis.org/
http://www.angel.ac.uk/PERSEUS/
Of which perseus & signet seem to be closed as they reached their goal.
Other implementation of Role Based Access Management is f.e. SELinux
When using syslog, you can log records to a central server.
But there is otherwise no known application (to me) that handles this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.umich.edu/~dirsvcs/ldap/doc/guides/slapd/3.html#RTFToC9
See chapter 3.4, configuration of 2 slaves through slurp.