I was recently poking through some of the more interesting blog entries on Port25, and I came across “Active Directory and Linux Identity Management”, which is not a bad intro to integrating Linux into Active Directory. (You can also view a PowerPoint presentation that I did on a past road-show about Linux and Active Directory integration here.) Alas, I was thinking it would be about the broader concepts of identity management in heterogeneous networks. And that’s the thing..
At my consulting company, we do a huge amount of work in identity and access management, and I see two classes of clients:
• SMBs. These clients know AD and just want to get away from having to create accounts for users in multiple places. This usually means Linux/UNIX integration with AD at the operating system level (e.g., with Samba) and sometimes at the application level (e.g., by plugging Apache or Tomcat into Kerberos).
• Enterprises. These clients know a lot more than AD, and they want to have a solid set of provisioning and access controls in place to ensure that users have only the accounts and access that they need, and this means a strong and granular set of access control features. (Think CA eTrust Admin/Identity Manager, Sun Identity Manager, etc.)
I think it’s important that SMBs start to see “identity and access management” as being more about ACCESS than IDENTITIES. Or, more to the point, about CONTROL and not ACCOUNTS. SMBs tend to push integration so that they can reduce workload, while enterprise pushes identity and access management so that they can increase their control and audit capabilities.
The thing is, you can do a lot after integrating Linux/UNIX into AD, but most admins just stop at “Great, now I don’t have to create accounts several times when a new employee is hired.” So, take a step back and reevaluate what you’re trying to accomplish.