A searched for answers but have found nothing on here...

Long story short: a non-profit organization is in dire need of modernizing its infrastructure. First thing is to find an alternatives to managing user accounts on a number of Linux hosts.

We have 12 servers (both physical and virtual) and about 50 workstations. We have 500 potential users for these systems. The individual who built and maintained the systems over the years has retired. He wrote his own scripts to manage it all. It still works. No complaints there. However, a lot of the stuff is very manual and error-prone. Code is messy and after updates often needs to be tweaked. Worst part is there is little to no docs written. There are just a few ReadMe's and random notes which may or may not be relevant anymore. So maintenance has become a difficult task.

Currently accounts are managed via /etc/passwd on each system. Updates are distributed via cron scripts to correct systems as accounts are added on the "main" server. Some users have to have access to all systems (like a sysadmin account), others need access to shared servers, while others may need access to workstations or only a subset of those.

Is there a tool that can help us manage accounts that meets the following requirements?

  • Preferably open source (i.e. free as budget is VERY limited)
  • mainstream (i.e. maintained)
  • preferably has LDAP integration or could be made to interface with LDAP or AD service for user authentication (will be needed in the near future to integrate accounts with other offices)
  • user management (adding, expiring, removing, lockout, etc)
  • allows to manage what systems (or group of systems) each user has access to - not all users are allowed on all systems
  • support for user accounts that could have different homedirs and mounts available depending on what system they are logged into. For example
    • sysadmin logged into "main" server has main://home/sysadmin/ as homedir and has all shared mounts
    • sysadmin logged into staff workstations would have nas://user/s/sysadmin as homedir(different from above) and potentially limited set of mounts,
    • a logged in client would have his/her homedir at different location and no shared mounts.
  • If there is an easy management interface that would be awesome.
  • And if this tool is cross-platform (Linux / MacOS / *nix), that will be a miracle!

I have searched the web and so have found nothing suitable. We are open to any suggestions. Thank you.

EDIT: This question has been incorrectly marked as a duplicate. The linked to answer only talks about having same homedirs on all systems, whereas we need to have different homedirs based on what system user is currently logged into(MULTIPLE homedirs). Also access needs to be granted only to some machinees not the whole lot. Mods, please understand the full extent of the problem instead of merely marking it as duplicate for points...


Solution 1:

FreeIPA is probably what you're looking for. It's to Linux what Active Directory is to Windows. (It can also talk to AD if you have a heterogeneous environment, but shouldn't be used to manage Windows machines directly. Use AD for that.)

Red Hat's documentation (they call it Identity Management) is very thorough and easy to follow, and should be mostly applicable even if you aren't using Red Hat-derived systems.

Solution 2:

I would suggest a good local consultant to assess the particulars of your situation...

Really.

There may be other business requirements or nuances that people on this forum may not recognize or be invested-enough to consider. A dedicated resource is your best bet... Otherwise, we're just throwing product recommendations at you for something that's easily out of scope for a simple Q&A.


Despite that, my approach would be to leverage Microsoft Active Directory and tie the Linux systems in using SSSD or LDAP. FreeIPA is fine in an all-Linux house, but even though you say "non-profit", that doesn't necessarily exclude Windows. You're going to encounter Active Directory somewhere along the path. You may want to augment this with automounted home directories, but the specifics of who gets mounted when or where aren't clear.

Even in the 99% Linux private-cloud environments I build now, I still rely on Active Directory for ease of management and centralized authentication. Groups and access permissions are easy, password policy and account aging is straightforward. Any concerns about maintainability, mindshare and compatibility are covered by the Microsoft solution. Replication is built-in, it's well-documented, and there's a bit of future-proofing inherent to the technology.

There are some details missing from your original question, though...

  • What particular Linux distributions are present in the environment? Are the versions consistent?
  • Do you require the same level of management granularity for your Macintosh systems (most organizations don't attempt to fully manage Apple computers)?
  • Are there remote users?
  • You mention "*nix" - What type of *nixes are present?

Solution 3:

Current system works but difficult to manage. I'm guessing there are other problems too for managing those servers if everything was done manually. I'd take a different approach by not replacing something that works (user management) and solve the administration problem of the servers.

I recommend using something like cfengine http://cfengine.com/community (free edition there) to "modernise" your system administration, not just user management. It's a good opportunity to try it because your current system works very much like using cfengine to distribute configuration to servers, in your case the /etc/passwd. So instead of replacing, your migrate those scripts to cfengine. Hopefully the impact would be very minimal because you're still using the same /etc/passwd.

Once you're comfortable with the cfengine, you can build more recipes to solve more problems like having a completely new user management system and you have the tool to manage the configuration on the servers.

To help get you started, I found this link http://explosive.net/opensource/cfpasswd/doc/cfengine.html that show how to distribute /etc/passwd and related files.

Even if you wanted to replace user management system now, you still need an administration tool to manage those server. It's better to have administration tool sooner than later and reconfigure your user management under an administration tool.