I've used and evaluated PowerBroker about five years ago. From a security perspective, I cannot recommend it. At the shop where I did the eval, we banned it and forced the group using it to dump it completely.
For centralized auth, I'm a fan of pushing out SSH keys and using some two factor system (e.g. SecurID) for sudo. Kill passwords on the local Unix systems. Only root should have the password, and it shouldn't even be known to the sysadmin. (Break glass framework). > On 2014 Oct 30, at 04:03 , Edward Ned Harvey (lopser) <[email protected]> > wrote: > >> From: [email protected] [mailto:discuss- >> [email protected]] On Behalf Of Brad Beyenhof >> >> I've heard good things about 389DS, though I never got around to actually >> using it myself. >> *snip* >> >> OpenLDAP in itself isn't too hard to administer. However, I've never been the >> guy to set it up from scratch. :) > > Eww, my experience has been the exact opposite. (Actually, in both cases you > said something is good that you've never used, and I've used them both and > I'm here to say, I don't recommend it.) Setup is not terribly difficult. > Ongoing maintenance, backup and restore, are complete nightmares. > Additionally, if you take a laptop out of the network, or the server is down > for some reason, there's no local caching, can't login or use the > disconnected system. > > This was why I mentioned Centrify and PowerBroker. Because I know they do > caching and can be used for laptops that aren't always connected. > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ ---- "The speed of communications is wondrous to behold. It is also true that speed can multiply the distribution of information that we know to be untrue." Edward R Murrow (1964) Mark McCullough [email protected] _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
