[Discuss] AD/LDAP authentication

[jim at gasek.net (Jim Gasek)]

I've been at several companies that use Centrify (real name was "Centrify DirectAccess").  It is a natural fit for companies that are already are, or traditionally have been Windows shops.  I.e., have windows talent.  

It looks like they have released a "free" version (?) called "express".  From a quick glance at the web page.

It essentially allows Active Directory to be the authentication method for *nix by using a plug-in (not sure if that's the actual term) on the AD/server side, and an agent on the *nix side.
You are essentially outsourcing *nix authentications to AD, and all the headaches of AD and Windows Domain Controllers.  

The agent installs have quite a few parameters to get straight, but load from a single script, "install", I think.

You can be functional on the *nix side pretty easily, re-fetch the config cleanly (adflush), overcome the sync delay, and see the config (adinfo).
The config is the AD config.

I hate it mostly because I hate Windows, and AD, and DC.  
The server (AD) side install, there is a windows app, and hooks into AD.
They seem to "delegate" a subset (branch/tree?) of the AD configuration, called "linux" or "unix", to the *nix administrators.
When windows has problems, you just have to reload the OS from scratch or revert to an earlier VM image.  

Have heard good things about FoxT if you want a commercial product which is more in line with *nix worldview/philosophy.
Never used it.

Thanks,
Jim Gasek

--- invalid at pizzashack.org wrote:

From: Derek Martin <invalid at pizzashack.org>
To: Richard Pieri <richard.pieri at gmail.com>
Cc: blu <discuss at blu.org>
Subject: Re: [Discuss] AD/LDAP authentication
Date: Thu, 21 Dec 2017 12:04:36 -0600

On Fri, Dec 15, 2017 at 11:57:21AM -0500, Richard Pieri wrote:
> The Centrify option has been brought up. It's my resort of choice if I
> can't get native authentication working.

I was going to suggest this as a possible solution also--we use it
where I work.  I haven't done sysadmin work in many years now so
I can't really comment on how well it would solve your problem.  The
folks that do sysadmin here, do seem to be satisfied with how it meets
our particular needs, but that's really all I can say.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.

_______________________________________________
Discuss mailing list
Discuss at blu.org
http://lists.blu.org/mailman/listinfo/discuss