Implement an agent that can provide Unix/Linux AD bridging providing log in on those systems using Windows account
by: Hugo H. | over a year ago | Integrations
Micro Focus Enhancement Requests Portal is moving. We are migrating the IDEAS from this site to the New Idea Exchange on May 6th. For more information on the new Idea Exchange please visit the Community FAQs.
Completed
6
Unix/Linux AD Bridging
by: Hugo H. | over a year ago | Integrations
Comments
Would like to know how many people participating in Forums see this as a need. We are investigating options to deliver this capability and considering it for a release post 1H CY '18 . This is not something I can say at the moment is Planned yet, but is under investigation. So please share your thoughts on this
Also - just to be clear. We are defining AD / Unix Bridging as
1. Ability for Unix / Linux systems to leverage Active Directory for authentication, and to leverage AD groups within Unix / Linux local groups
2. Ability to extend applicable group policies to Unix / Linux systems
3. Unix / Linux system effectively has "virtual join" to an AD Domain
Is there any other items that Unix / AD bridging means to someone that I may have overlooked?
its a very cool feature. must be part of PAM.
1a. if agent is installed, MS AD users can login on any Linux/Unix machine as an ordinary user. if agent is not installed on Linux/Unix systems then MS AD user can still login but via web browser(MyAccess page).
1b. PAM admin, can browse/select MS AD user(s) or MS AD Group to provide privilege access to Linux/Unix machines.
2. Love to see it. Even today, when we join a Linux system(SLES, RHEL, etc) to MS AD Domain using the linux native tools, "password policies" applies to that Linux system(member).
3. When both 1 and 2 is possible, this would automatically considered as Virtual Join to an AD Domain.
I am changing the status to PLANNED because this is an area we are actively investigating to address. So if you have not voted for this and you feel that AD Bridging should be part of PAM, then please vote for it.
Good feature, centrify grow up doing exactly this.
Also if an MS AD user is a member of "Domain Admins" or "Enterprise Admins" which are the default security-groups in MS AD, then that user should have root-level access to all Unix/Linux systems(where the agent is installed). However this root-level access to all Unix/Linux agents should be available as an option, not a compulsion.
The other day, another customer asked us about what we see as a solution to control who has access to Linux/Unix systems that are hosted on cloud. This customer does not want to provision local user with credentials locally and also we can not have a kind of federation for ssh access. I believe that if we could provide this PAM approach for them, that could resolve their pain today.
If you are going to compete with Centrify then you will need to consider the following
1) SSH SSO with Kerberos
2) sudoers file management
3) PSM of a subset of users
4) NIS/OpenLDAP migration
Do we have any update here ?
A new product has been released that provides this capability - Micro Focus AD Bridge. https://www.microfocus.com/en-us/products/adbridge/overview
Our recently offered AD Bridge product will satisfy these requirements. Given it's ability to work in the cloud, and it's lack of needing to duplicate credentials, it is the most advanced product on the market.
This product can be bought standalone or as an add-on to Privileged Account Manager (PAM)