centralizing account mgmt? is it worth doing?

From: John Christian (potus98@yahoo.com)
Date: Wed Oct 12 2005 - 11:47:59 EDT

• Next message: Piszcz, Justin: "Help - Severe Error With NetBackup Enterprise and Solaris8->Solaris10"
• Previous message: Adam Tomkinson: "Dual Paths"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi gurus,

We have ~30 developers and ~30 UNIX servers (Mostly Sol9, a few Sol8, couple
RHEL). The developers use their desktop PCs to access the UNIX servers for much
of their work. On average, one developer has 15 different UNIX accounts.
Obviously, this has some hassles:

  - new-hire = sys-admin creates 15 UNIX accounts
  - new-fire = sys-admin deletes 15 UNIX accounts
  - developers suffer through 15 password changes every 60 days (in addition to
Windows, corporate intranet, timesheet application, etc...)

Since my primary goal in life is to make developers' lives easier ;) I figure
we could at least reduce their ~15 UNIX accounts to 1 account. We are NOT
interested in tackling single sign-on or Windows synchronization.

We *think* we want:

  - new-hire = sys-admin creates 1 account and authorizes it for ~15 hosts
  - new-fire = sys-admin deletes 1 account
  - developer updates 1 UNIX password every 60 days
  - developer needs new access = sys-admin 'turns-on' access to additional host
  - developer changes duties = sys-admin 'turns-off' authority for certain
hosts
  - ability to have certain accounts remain local-only (root, sys-admins)

How have you addressed the challenges of developer account sprawl?

In addition to Directory Servers (OpenLDAP, Sun One, Novell), are there any
alternative approaches we should consider? I fear a full-blown Directory Server
may be overkill.

Maybe the problem isn't worth solving yet? Continuing with our current approach
IS an option. Maybe we should have 50 developers and 100 machines before
worrying about this issue?

TIA if you take any time to respond this post. I will provide a SUMMARY unless
I only receive out-of-office replies. No need to summarize those.

-John
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Piszcz, Justin: "Help - Severe Error With NetBackup Enterprise and Solaris8->Solaris10"
• Previous message: Adam Tomkinson: "Dual Paths"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:32:50 EDT