- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Centralized account administration that allows...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-11-2010 06:53 AM
тАО01-11-2010 06:53 AM
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-11-2010 09:07 AM
тАО01-11-2010 09:07 AM
SolutionYou have eliminated two of the three possible solutions.
NIS+ is being phased out.
NIS is not being phased out, but leaves a lot to be desired on the security standpoint.
LDAP should be easier than it is.
So assuming you eliminate the top three answers, copying around the /etc/passwd and /etc/group files is your best option. I would not call it best. I would describe it as settling.
As far as audit goes you could go with HP-UX Trusted system and run that audit system on each server. This will take some time to get working as the audit data is pretty big and quickly tries to fill up the root file system.
You could use a system like e-trust to maintain better auditing. This system can actually be configured to replicate passwords up to the root seos(e-trust) server.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-11-2010 09:33 AM
тАО01-11-2010 09:33 AM
Re: Centralized account administration that allows auditing?
That's what I was afraid of. So homing in on those two options...
If I have password expiration enabled on security and I copy the files to each server, will that reset the password expiration date on all the servers it's copied to as well? And is there something already in place that would find the newest files and replicate those across to the others?
And, what is this "e-trust" you mentioned? Is this some type of 3rd party authentication solution? A quick Google brought up anti-virus, privacy policy management and food.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-11-2010 11:13 AM
тАО01-11-2010 11:13 AM
Re: Centralized account administration that allows auditing?
I don't copy my passwd file around to other boxes, because there area absolutely some folks I don't want to have a login to certain boxes.
And for security/auditing, I hate the "it's all or nothing option with Trusted turned on". So think I looked around to get out of the box.
For me, I like to audit who I want to audit without them knowing when I'm in the mood to monitor, and just them. So, I went with Symark Powerbroker software, now called Beyondtrust.com. But there are other vendors out there who do similar.
With this I can turn it on or off who I want, as many as I want, when I want - and the developer(s) never knows. I like that. It gives me logs that is full copy of every keystroke and every output of everything they do. I like that. And it has plenty of other options and utilities I can use, like distributing root or specific tasks, but frankly the ability to do adhoc auditing is why I got it.
Take a look around and you may find some third party software that gives you what you want at a reasonable price.
Think out of the box...
Rgrds,
Rita
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-11-2010 11:20 AM
тАО01-11-2010 11:20 AM
Re: Centralized account administration that allows auditing?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-11-2010 03:37 PM
тАО01-11-2010 03:37 PM
Re: Centralized account administration that allows auditing?
That being said, I'm currently copying password files using an ugly patched script but with 75+ servers that need different account sets this is becoming hard to manage and risky. This will sound odd but I think the easiest and most documented way to centrally manage accounts is actually using a Windows DC if you have one. There is a great cookbook from Eric Roseme on this subject on docs.hp.com. I read on LDAP, Kerberos, etc more than a few times and never really understood anything.
Olivier
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-12-2010 04:38 AM
тАО01-12-2010 04:38 AM
Re: Centralized account administration that allows auditing?
Just make sure that the trusted.org_dir table is correctly constructed with the UID number in the auth_user field, and the NIS+ server will keep everything organized for you and generate the /tcb/files/auth entries automatically when the user logs in to a trusted system.
Also, make sure that you have all the patches installed - older versions of NIS+ lead to mysterious and vexing problems, such as replica synchronization failures, which probably contributed to its bad reputation.
There's also the HP-UX Standard Mode Security Extensions bundle which allows auditing in non-trusted mode: http://docs.hp.com/en/5991-1101/ch08s03.html ...which may be a simpler approach than charging up the NIS+ learning curve.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-12-2010 04:40 AM
тАО01-12-2010 04:40 AM
Re: Centralized account administration that allows auditing?
You should also look into CFengine - that's a handy tool which allows not only passwd/group file synchronization but a variety of other system maintenance and configuration operations.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-12-2010 01:36 PM
тАО01-12-2010 01:36 PM
Re: Centralized account administration that allows auditing?
That's why you have multiple tabs. Of course you would need to reload before you submit. :-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-07-2010 05:46 AM
тАО07-07-2010 05:46 AM