Re: Central access control system for Linux

msarmadi staggered into the Black Sun and said:
I'm wondering if there is any [program] for Linux systems which
[provides a] central(enterprise) access control system.

"Enterprise" is an overused word. Define what it is that you want
without using marketing buzzwords, please. The thing that many large
installations do for managing tons of users with different permissions
is set up LDAP on a large box. All the orkstations then authenticate
against this LDAP server instead of against local /etc/shadow and
/etc/passwd files. This is a bit of a pain because LDAP is quite
complex. There are pointy-clicky frontends to all this. I have never
used any of them, so I can't comment on which one's the best. (LDAP is
an "enterprise system", but instead of phasers and photon torpedoes, it
comes with red shirts.)

A major feature which people are looking for is central control over
portable media access of users and workstations.

Which people, and why? Define this more specifically as well. Did you
mean "users not in group usbusers should not be allowed to use USB
keychain drives"? This can almost certainly be done with LDAP, the
"group" keyword in fstab, and appropriate permissions on device nodes
and mountpoints.

Also remember that security is not a product you can buy, but a process
you have to implement. Hyper-paranoid security is also a complete pain
in the ass, and will make the people who have to deal with it so annoyed
that they'll actively look for ways to subvert it. You *really* don't
want that, as people are always the weakest link in a security system.
HTH anyway,

--
I think I'll have to put on 500 pounds of subwoofers, amps, and other
delicious herbs. --MegaHAL, trained on ASR
My blog and resume: http://crow202.dyndns.org:8080/wordpress/
Matt G|There is no Darkness in Eternity/But only Light too dim for us to see
.

Relevant Pages

  • [NT] Vulnerability in Active Directory Allows Code Execution (MS08-060)
    ... Get your security news from a reliable source. ... Vulnerability in Active Directory Allows Code Execution ... implementations of Active Directory on Microsoft Windows 2000 Server. ... not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP ...
    (Securiteam)
  • RE: LDAP + Active Directory
    ... Subject: LDAP + Active Directory ... LDAP uses an anonymous access for reading the tree, ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: [opensuse] Getting Rid of postfix and exim on my laptop
    ... But openSUSE is not a big enterprise distro, ... having cron mail me. ... These is also the issue of the context of the installation. ... Have a look at the ldap software you are _required_ to have loaded. ...
    (SuSE)
  • [NEWS] Security Issue with GroupWise and LDAP Authentication in PostOffice (Anonymous bind)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... checks to what type of LDAP binding has occurred (Anonymous, ... GroupWise 6 Post Office using LDAP authentication AND security ... with the LDAP v3 RFC 2251, an LDAP bind in which a username is provided ...
    (Securiteam)
  • RE: LDAP + Active Directory
    ... Subject: LDAP + Active Directory ... LDAP server on it's rootdse. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)