Need Advice for a Case Project

Need Advice for a Case Project (Full Version)

All Forums >> [Windows - UNIX Interop] >> System & Network Admin Forum

Message

y2kdread -> Need Advice for a Case Project (Oct. 21, '05, 3:25:47 AM)
In the case project what i am trying to do is create good authentication systems for users. I want to be able to control what sort of systems user can use. The case can be found here: http://www.slacktacular.com/case/case2005.doc What I would like to do, is setting up a system in which each user is assigned a a role, and with each role you have a security context that goes with it. You would also go a bit deeper saying that if an low level employee tried to access the network from a connection at a Coffee shop at like 3AM we would not let them have access and log what they try to do. I would like the system to be a single sign on sort of thing, to minimize the confusion with many passwords. I know how this would work in theory, but don't really know what sort of systems you would use to set it up. The company already uses Exchange for email, so i figure this could be a good start. Basically, I want to know how and what you would set this up on. How you would connect existing resources to the new authentication servers. How to do this for a decent price (open source software would work great), and other such stuff. If anyone would like to advise me on this, please message me in AIM at Y2KDREAD or email me at . I am not asking anyone to do the case for me, I am really just asking what you would do in this respect, and get in a bit more detail then I have given. I know how to do this in theory, but in practice, not sure what all is needed. And as a future IT person, I know that in the future I will turn to my colleagues for advice, and feel that in something such as this it is no different. Thanks for any help, Y2KDREAD

Rodney -> RE: Need Advice for a Case Project (Oct. 21, '05, 11:08:03 AM)
Are you working in a hetrogeneous or homogeneous OS site? If hetro, then which OS's? mmm, okay the paper has this in it and it's some contest... If you just have Windows boxes then you can do this with Active Directory (AD). If you have a mixed Windows & Unix site then you can use SFU (Services for UNIX), which is free, to do password synchronizations amongst the machines. AD gets set as the primary maintainer of passwords; an SSOD (single sign on daemon) gets run on each Unix system to coordinate password updates with AD. You can set (by hand) your Unix machines to use Kerberos and the Kerberos server be AD. There are a couple of large papers/books from Microsoft on doing this. You can find this in TechNet and MSDN. After that there are the commercial offerings from Vintela and Centrify that can have a Unix/Linux box use the Kerberos/LDAP of AD for password sync and for login verification (times, machines, etc.). The contest paper also outlines some supplier/customer data access. That's usually outside the scope of what we do here. Typically this involves (these days anyway) some web portal with authenication and a database that has the ability to secure data based on the user. The "staff" listing has an Oracle DBA so use all the info on the Oracle web site. That one's a gimme.

y2kdread -> RE: Need Advice for a Case Project (Oct. 21, '05, 11:24:09 AM)
I am going to put in an assumption saying that all the systems are running XP, just to make life easier. And as to using AD for the permissions, how would I get different databases/applications to use AD to check for the authorization? Or is it really just a matter of saying that this DB on this server, is only able to be used by X role, and you would we assume that we would use a connector in the DB that could would help you go and check AD. Also, because all of this is being done in a central location, what sort of servers would we need? I know you would want a AD server running MS sever, but how would this work for all the other offices? With stuff dealing with he customers and suppliers i can understand all that being in one location. But for other offices within the company, is it practical to set up an AD server at each office, or just set them up at the location that is being built, and connect to them that way? I know this can get nitpicky, and I am kind of dense on some of this stuff. But my work with AD and permissions is very limited at this point, so your help is wonderful.

Rodney -> RE: Need Advice for a Case Project (Oct. 21, '05, 2:06:52 PM)
> I am going to put in an assumption saying that all the systems are running XP, just to make life easier. Okay (in the staff list it had a Sun guy). > how would I get different databases/applications to use AD to check for the authorization? My memory on Oracle is directly related to if I'm currently using it for a project :-) So offhand I can't remember the finer details. But with Oracle you can specify with some pretty fine granularity the access to records, columns, etc. You can tie this in with the user account with a login procedure. I recall that there is something on the Oracle web site that discusses using Oracle with a web site for DB access doing just this. On the Windows machines this means Oracle interacting with AD for authorization. > but how would this work for all the other offices? Well, I'd suggest you find a book on AD. This sort of scenario is pretty average and is covered umpteen different ways. There's a lot of detail and trade-offs in the distributed environment. More than I can cover on the Forum. One example of it is that there is a primary AD server and then you can have secondary AD servers at the "branches plants". AD is Kerberos, LDAP and a bit more rolled into one. So AD does the authentication, authorization and provides information. There are other ways to approach it as well (i.e. multiple realms with cross-trusts). With a physically, widely distributed company you have to account for the network being severed from the main server for some of the time; it'll also be faster to get "local cache". Find a book on AD. Some reading on Kerberos itself would help.

Page: [1]

Forum Software © ASPPlayground.NET Advanced Edition 2.5 ANSI

0.031