[Gllug] Integrating *nixen (mostly OSX) into MS Active Directory
Avi Greenbury
avismailinglistaccount at googlemail.com
Fri Oct 24 17:37:08 UTC 2008
Got a bit hectic at work, haven't been able to respond. Not entirely
sure of the correct etiquette for responding to multiple same-subject
emails, so I've put them all in one mail which might make the threading
a bit more messy (sorry), but keeps me a lot more sane.
In the interim, it's been decided that non-admin (i.e. production) PCs
are allowed to not run Windows, which means the Studio can keep their
macs. I'd still like to push the idea of integrating them into AD (or
some other windows-user-friendly means of remote group administration),
as much for the ease of administration as the chance to demonstrate that
it's not just Windows that can do it.
Richard Revis wrote:
>> I want to argue that it is possible to achieve some AD
>> integration with *nix OSs (I presume I can get quite a bit
>> with an LDAP client?), but I'm having fun finding any
>> real-world information on it.
>>
>> Have any of you got any experience of it, and how successful
>> were you?
>
> Experience of decision making in large companies, yes.
>
> Apologies if this is inappropriate, but _argue_ set me off on a tangent :)
Yeah, argue was possibly not the best choice of wording....
I'm not likely to find myself in a position where I can present this -
the level at which this policy is written is such that it is my boss who
conforms to it by ensuring that we do. He'll be in the relevant
meetings, but he's also got an MCSE and makes funny faces when I mention
postfix.
When it was first mentioned that we were to become an exclusively
Windows network for security, I was a bit dumbstruck, and what I'm
mostly after is an ability to informally reassure my boss and the rest
of the dept that I'm in that we can fulfil the end result bits of this
proposed policy (a secure network) without necessarily getting rid of
all the macs.
Though I will likely follow your process through in any event, if only
so I know it is (or maybe isn't) a reasonable idea.
John Hearns wrote:
> I asked over on the Beowulf list.
> I'm almost certain the product I was thinking of is Centrify:
> http://www.centrify.com/
>
> Have a good look at that maybe?
>
I've just had a quick look, I'll see if I can get some approximate costs
for that on Monday, I think.
Commercial software is certainly generally seen as the better bet by
default here (what do they teach on MCSEs?)
Jose Luis Martinez wrote:
>
> It is not a trivial exercise, separating the machines for
> authentication purposes is perfectly doable and perhaps the easiest
> route, but security should not be really mentioned as an issue. If the
> AD servers are configured correctly I fail to see why a non MS client
> would be more insecure.
>
The security aspect, as I understand it, comes from the idea that things
like forcing USB keys to be encrypted and the like can be done under
Active Directory. Personally, I think there's been a bit of confusion
between the means and the end, but I wasn't present at the meeting...
Ryan Cartwright wrote:
> I'm probably a bit late with this but (while waiting in Smiths for a
> train yesterday) I noticed that the "November" issue of Linux Magazine
> had a piece/howto on integration with Active Directory et al. I haven't
> read it but it might be worth checking out. I don't think it mentioned
> OSX though.
Ah, perfect!
I'll have a look at/for that on my way home. Cheers!
--
Avi Greenbury :) http://aviswebsite.co.uk
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list