Central access control system for Linux

Hi All

I'm wondering if there is any solution for Linux systems, desktop
and servers, which provide central(enterprise) access control system.
A major feature which people are looking for is central control over
portable media access of users and workstations.

Looking forward to your reply

Cheers
--
Mehdi Sarmadi

msarmadi staggered into the Black Sun and said:
> I'm wondering if there is any [program] for Linux systems which
> [provides a] central(enterprise) access control system.

"Enterprise" is an overused word. Define what it is that you want
without using marketing buzzwords, please. The thing that many large
installations do for managing tons of users with different permissions
is set up LDAP on a large box. All the orkstations then authenticate
against this LDAP server instead of against local /etc/shadow and
/etc/passwd files. This is a bit of a pain because LDAP is quite
complex. There are pointy-clicky frontends to all this. I have never
used any of them, so I can't comment on which one's the best. (LDAP is
an "enterprise system", but instead of phasers and photon torpedoes, it
comes with red shirts.)

> A major feature which people are looking for is central control over
> portable media access of users and workstations.

Which people, and why? Define this more specifically as well. Did you
mean "users not in group usbusers should not be allowed to use USB
keychain drives"? This can almost certainly be done with LDAP, the
"group" keyword in fstab, and appropriate permissions on device nodes
and mountpoints.

Also remember that security is not a product you can buy, but a process
you have to implement. Hyper-paranoid security is also a complete pain
in the ass, and will make the people who have to deal with it so annoyed
that they'll actively look for ways to subvert it. You *really* don't
want that, as people are always the weakest link in a security system.
HTH anyway,

--
I think I'll have to put on 500 pounds of subwoofers, amps, and other
delicious herbs. --MegaHAL, trained on ASR
My blog and resume: http://crow202.dyndns.org:8080/wordpress/
Matt G|There is no Darkness in Eternity/But only Light too dim for us to see

On Apr 30, 2:02 am, Dances With Crows <danceswithcr...@usa.net> wrote:
> msarmadi staggered into the Black Sun and said:
>
> > I'm wondering if there is any [program] for Linux systems which
> > [provides a] central(enterprise) access control system.
>
> "Enterprise" is an overused word. Define what it is that you want
> without using marketing buzzwords, please. The thing that many large
> installations do for managing tons of users with different permissions
> is set up LDAP on a large box. All the orkstations then authenticate
> against this LDAP server instead of against local /etc/shadow and
> /etc/passwd files. This is a bit of a pain because LDAP is quite
> complex. There are pointy-clicky frontends to all this. I have never
> used any of them, so I can't comment on which one's the best. (LDAP is
> an "enterprise system", but instead of phasers and photon torpedoes, it
> comes with red shirts.)
>
> > A major feature which people are looking for is central control over
> > portable media access of users and workstations.
>
> Which people, and why? Define this more specifically as well. Did you
> mean "users not in group usbusers should not be allowed to use USB
> keychain drives"? This can almost certainly be done with LDAP, the
> "group" keyword in fstab, and appropriate permissions on device nodes
> and mountpoints.
>
> Also remember that security is not a product you can buy, but a process
> you have to implement. Hyper-paranoid security is also a complete pain
> in the ass, and will make the people who have to deal with it so annoyed
> that they'll actively look for ways to subvert it. You *really* don't
> want that, as people are always the weakest link in a security system.
> HTH anyway,
>
> --
> I think I'll have to put on 500 pounds of subwoofers, amps, and other
> delicious herbs. --MegaHAL, trained on ASR
> My blog and resume:http://crow202.dyndns.org:8080/wordpress/
> Matt G|There is no Darkness in Eternity/But only Light too dim for us to see

Dances With Crows

Thanks for your informative reply.

I'm totally agree with you on "Enterprise" thing. But unfortunately
many people on the net are living with that. Let us think about lots
of different workstations/servers with different application services
which are served over the network and network services which are
provided to people using those workstations. I used the "Enterprise"
word to name some system which could handle things in different levels
and also almost granular .

About the "people" part, I meant these days BOSSes(or customers) are
very into fancy security things they could have in the network, like
locking up the USB ports, taking out the CD-ROM drives, ....

As you know, variety of authentication mechanism is possible using
some network information service like LDAP or NIS+. Moreover you can
do what-ever you want with LDAP on the network: set the user's desktop
background and home directory(on a network FS), put a new handmade
custom network information service, or application required
information services, etc. However all of them need a client agent on
workstations to make workstations affected.

As of LDAP, it is raw and could give the network information system
lots of capabilities, which is great using GOsa wonderful tool.
Although, it needs a client agent on workstation that could apply the
policies(user based or machine based) like desktop background to MAC,
Linux Access Lists/Controls, pam_group/pam_mount and so on. I don't
need all of them but I need one of them at least :).

Additionally, those I need is not controlling access to the network,
I'm looking for something which I could replace with MS Active
Directory. Not all of the features are needed like DNS/DHCP but
integration is highly required.

I'm looking for some projects which have done the client side agent,
too. And made it open to add other customized capabilities/features
which I could use.

Cheers
--
Mehdi Sarmadi