tools for user account management for solaris and linux platforms

we have a setup consisting of 60+ hosts (solaris and linux). we would like to develop/install a tool that helps us with passwd resets, account creation/deletion, and other common user account mgmt tasks.

we have looked at webmin , puppet and AD-integration as potential solutions. but either they are too expensive, have too many holes (vulnerabilities) or our architecture does not permit such a deployment. so we are still looking.

our requirements are - 1. free and preferably oss. 2. doesn't need to have a web UI. could be a simple library/api that we can use to script up a user mgmt tool. 3. works with linux and solaris hosts.


Solution 1:

You have two choices essentially:

  1. User creation via configuration management
  2. Centralised authentication

1 Can be accomplished through the use of tools such as Puppet, Chef, CFEngine, etc.

These tools allow you to create configurations which are applied to all nodes, however a downside of using these to manage users is that you cannot centrally set passwords (each node has its own users with their own passwords and their own expiry) and you cannot easily change user groups - you can add to groups but not necessarily remove groups through configuration.

2 Is usually accomplished by creating an LDAP infrastructure (optionally with Kerberos).

Centralised authentication will mean users having the same password everywhere, and groups are easily changed.

You can either re-use existing infrastructure (such as Active Directory) or set up a new LDAP infrastructure. One system worth considering is FreeIPA. This integrates LDAP, Kerberos and optionally DNS. For Linux clients it provides easy setup via a script, and for Solaris clients you simply set them up as an LDAP (and optionally Kerberos) client. FreeIPA implements policies so you can set password/account expiry and password complexity.

FreeIPA can also provide one- or two-way sync with Active Directory.

Solution 2:

Do you want to have a centralized data store for this information that all machines access, or do you want to configure it locally (and perhaps independently) on each machine?

If it's the former, you probably want to investigate LDAP or Active Directory integration; this would ensure that passwords changed in the central directory are reflected immediately on all machines connected to it.

If it's the latter, then something like puppet or cfengine would be your best bet. cfengine in particular runs almost everywhere (definitely on both Linux and Solaris hosts), and would allow you to create and manage users easily. Here's a quick-start guide for getting familiar with cfengine.

Also, specifying your constraints when asking a question will help you get more constructive answers. What about your architecture prevented which potential solutions from being used? If you list what you've already tried and why it didn't work, then people will know to avoid steering you down fruitless paths, or perhaps be able to help you work around the problems you encountered.