Issue: Centralized user management and user permission mangement of user access needs for resources (access to services, home directories, joining to local user groups, file system permissions, etc.) on Linux servers by way of group membership within Active Directory.
Background: We have a number of Linux servers, some CentOS and others Ubuntu, that are used for development, web hosting, database hosting, PXE serving, etc. We also have a centralized Active Directory envrionment where all users are added into and provided with group memberships at the time of joining the organization.
Example: Bob and Alice join the organization, they get added into their appropriate groups within AD, and now they have access to SSH or MySQL on one or more of our Linux servers. Once Bob leaves, we remove him from the AD group(s) and he no longer has access to the Linux servers for SSH, MySQL, etc.
Notes: How does one approach such a task? Is there a set of utilities available within Linux already that will allow this type of operation? The access we need to grant to a user is going to be dependant upon the user group memberships that they are a member of from Active Directory. For example, everyone within the AD Group of Development will need to have SSH access, MySQL access, and a home directory on the Linux versioning server 1 and 2. Everyone that is within the AD group of systems administrator will need to have SSH access and SU permissions for all of the Linux servers, etc. I have looked through a number of the existing articles on serverfault and have not found anything that matches up to the needs listed here.
Best Answer
There are two basic techniques I'm aware of --
Method One: Microsoft's Identity Management for UNIX - This allows you to expose ActiveDirectory as a NIS server.
This works with pretty much any *NIX flavor out there (they all support NIS), and has all the benefit (and drawbacks) of NIS. It is also officially supported by Microsoft, which means you have someone to call if stuff breaks.
Method Two: pam_ldap/nss_ldap (or similar, newer systems).
This works with any modern *NIX flavor capable of authenticating against LDAP directories, and may be included by default with Ubuntu and CentOS these days. It is a bit more robust/modern than the NIS-like hackery in Method One, but less likely to be officially supported by Microsoft.
Both of these techniques require you to extend AD Users and Groups to be POSIX Users & Groups respectively so that there are usable POSIX UIDs and GIDs for your *NIX systems -- Microsoft provides this capability in Active Directory.
An added benefit to Method Two above is that you can further extend the users to enable you to use the OpenSSH LDAP Public Key patch, which lets you store SSH keys in LDAP and eliminates the task of synchronizing
authorized_keysfiles around your network.