Skip to content

user administration in modern times ……

It is often repeated, that system administrator should investigate non-local user authentication methods if his server farm is more than a few machines. I am not going to define what “a few machines” means. Instead, I will say that as long as there is already in place an existing authentication environment (like for example Active Directory) which can provide authentication services to UNIX than regardless of the number of UNIX host they all should be integrated with the authentication environment already in place.

For a lot of us (maybe for most of us), Active Directory is the “already in place” authentication environment as soon as a UNIX host is built it should to participate in your local Active Directory domain which means that the Active Directory UNIX services support is already enabled, and fitted with the necessary groups and users.

Often, while participating in the global authentication environment, applications administrative accounts are often still left at the host local level (/etc/passwd and /etc/groups), why? I am not talking about operating system administrative accounts (the ones pre-installed during operating system installation). What I have in mind are the accounts like oracle, oinstall, deploy, nagios, and so forth. I believe, that they also should be defined in Active Directory.

Some of you may start looking around for a stone or a rock to throw in my direction, please do not do it yet (let me hide first). Some of you are already screaming – “How to protect my applications against Active Directory failure”? Well, first start with the top and make the Active Directory highly available (load balancer?). But what will happen if Active Directory fails? Will users be able to login to their PC’s to access the data delivered by or residing on a UNIX host? If users are not able to login to their laptops why do you worry about the application account?

For the few of you who still find a reason to worry, you may be relieved to know that, for example AIX has the option to use a secondary authentication method – set it to the local authentication. If Active Directory fails to authenticate your user, AIX will use the data in /etc/passwd. By the way, Active Directory can also synchronize UNIX local passwords …… Isn’t this sweet?

What about if there is no Active Directory? Can you use NIS, NIS+ and/or LDAP?

The moral of this post is – get out of user, group, UID and GID administration, get out of the local user management – as much as possible.

Sooner you do it more time to waste or to learn you will have.

Posted in Linux, Real life AIX.

Tagged with , , , , , , , , , .

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Some HTML is OK

or, reply to this post via trackback.

WordPress Anti Spam by WP-SpamShield

Copyright © 2016 - 2017 Waldemar Mark Duszyk. All Rights Reserved. Created by Blog Copyright.