We are looking at using Tivoli Directory Server (LDAP) or Active Directory 2003 for authentication. I wanted to get some feedback from the community. Our goal is to do it the simplest, easiest, and cheapest way that allows for centralized user authentication. We are mainly an AIX environment with some Red Hat and Suze mixed in.
All advice greatly appreciated.
To quote from RFC1925 (The Twelve Truths of Networking):
Cheap, Fast, Reliable: pick any two, you can't have all three.
None of these tools is "easy", "cheap" or "simple": they are complex and you can easily spend a lot of money and effort to cover in production what you "saved" in development by cutting efforts. To put it bluntly: it is easy to plan poorly and save that way a neglectable amount of cost and effort just to have a nearl unworkable envirnment in production which is a pain in the ass for all. I have seen a lot of such "simple solutions" which - once they were implemented - everybody hated with a passion.
So my first advice is: do NOT plan in short terms! A centralized authenticaltion solution is a very "core" technology and you will have to live with your decisions for a very long time. Plan thoroughly and you will have a valuable addition to your data center which saves you a lot of effort in the long run. Plan poorly and you will have additional effort and work on top of what you already do.
Second: stick to (open) standards as much as possible. all the products of a single producer have faltered over time, while open standards tend to stay: compare TCP/IP (the open internet protocol) with the IPX/SPX protocol from Novell and the NetBIOS protocol from Microsoft: all three were commonly used 15 years ago. Which one was open? Which one is still there? As long as there is only a single company producing something without an independent standard behind it it will not stay in the market for any prolonged time, regardless how big the company is: IBM invented the Microchannel bus and even as it was a technically excellent solution, today IBM builds its workstations and high-end systems (pSeries) on PCI. PCI is not better than Microchannel, but it was always independent and standardized while the Microchannel was IBMs patent - it still didn't stay.
So my second advice is: use LDAP, simply because it is an open, company-independent standard. Which LDAP server you use is irrelevant, it is easy to replace one with the other. Replacing a protocol is way more difficult than replacing to server providing it. Well, in fact it is not irrelevant, but a lot less relevant than the decision about the architecture of your authentication structure.
I hope this helps.
bakunin
We plan to implement a similar solution with Tivoli Directory server as the LDAP server.
What would be the recommended approach ? Will it work with all different flavors and versions of Unix ? we have AIX versions from 4.3 to 7.1, Solaris and Linux boxes too.
How do we handle provisioning new users when we want a centralized user repository ?
Also how can we exclude admin ids from using LDAP authentication ? e.g. root user should continue to use the unix system authentication.
Any answers, pointers would be very helpful. Thanks in advance.
AIX has ldif additions to add into an AD server what it needs for full AIX support. However, I hear AD support may "stop" when you add any "foreign" ldif files. I also hear it is very difficult (read impossible) to back out a ldif extension.
The AIX client does not really care what LDAP server is supplying the answers to queries. But it does need much more than simple rfc2307 (basically that only supports the 7 user administration entries in /etc/passwd and /etc/group (with the encrypted password "shadowed" away).
So, the key thing to test/verify - does the LDAP server support multiple DIT domains (some shops use different domains for production and server to support different specifications of the authentications and privileges assigned to roles under RBAC. In other words, the role name is the same on all systems, but the "power" differs.
IMHO: is it very much worth the time and effort to get AIX system configuration configured behind LDAP services.
From /etc/security/ldap/ldap.cfg (client side)
# Base DN where the user and group data are stored in the LDAP server.
# e.g., if user foo's DN is: uid=foo,ou=people,cn=aixdata
# then the user base DN is: ou=people,cn=aixdata
#userbasedn:ou=people,cn=aixdata
#groupbasedn:ou=groups,cn=aixdata
#idbasedn:cn=aixid,ou=system,cn=aixdata
#hostbasedn:ou=hosts,cn=aixdata
#servicebasedn:ou=services,cn=aixdata
#protocolbasedn:ou=protocols,cn=aixdata
#networkbasedn:ou=networks,cn=aixdata
#netgroupbasedn:ou=netgroup,cn=aixdata
#rpcbasedn:ou=rpc,cn=aixdata
#automountbasedn:ou=automount,cn=aixdata
#aliasbasedn:ou=aliases,cn=aixdata
#bootparambasedn:ou=ethers,cn=aixdata
#etherbasedn:ou=ethers,cn=aixdata
#authbasedn:ou=authorizations,cn=aixdata
#rolebasedn:ou=roles,cn=aixdata
#privcmdbasedn:ou=privcmds,cn=aixdata
#privdevbasedn:ou=privdevs,cn=aixdata
#privfilebasedn:ou=privfiles,cn=aixdata
#domainbasedn:ou=domains,cn=aixdata
#domobjbasedn:ou=domobjs,cn=aixdata
The first two are what most people are thinking of initially, while AIX preferes the first three (the third brings the file /etc/security/.ids into LDAP simplyfying/ensuring unique userid generation).
In short, if your choice for an LDAP server is not going to support, or is difficult about supporting these many different domains - it is not suitable as an LDAP server for AIX.
Hope this helps!
p.s. regarding the Tivoli Directory Servers - they permit multiple versions installed and operating on a single AIX system (obviously using different ports).
AIX v4 client only knows about the AIX-only schema, so you will need a separate LDAP server for that - regardless of your choice. When you get to the point that you have everything bu AIXv4 under LDAP - try and contact me and I'll ask my LDAP SSO colleagues if they have suggestions.