Directory-based User and Group Management on Linux & Friends

I saw a number of messages go by regarding the use of OpenLDAP to do user management in concert with Red Hat's PAM modules. In response to this interest, I want to let this community know that Symas Corporation has just released beta 3 of an OpenLDAP-based product called CONNEXITOR, that is designed to help administrators with the thorny problems associated with the effecive management of large numbers of user accounts.

CONNEXITOR version 1 allows administrators to perform account, group, and resource management on Linux (several versions), Solaris, AIX, and NT4 from one or more consolidated points. On these platforms you can manage passwords and groups for the operating system and for RADIUS and APACHE users. The management capability is in the process of being extended into other operating systems and applications (Oracle 8i, for example) that have a notion of accounts, passwords, and resources. Accounts for each user are correlated back to a central directory and tracked there, allowing an administrator to very quickly reset forgotten passwords or disable access for departing users and perform other user-oriented functions quickly.

Unlike the PAM approach, CONNEXITOR directly and securely manipulates the password, group, and other security files of the operating systems and applications themselves. That means the system can handle very high authentication loads because the authentication process is still handled by the managed systems themselves.

Strong security has been mandatory from the very start, and Symas chose OpenSSL to handle authentication and link security. Key distribution is largely automated, and unique public/private key pairs are placed at each node and can be created for each user as needed. This almost completely eliminates the overhead involved in managing public-key systems. CONNEXITOR makes use of ACLS to determine who can make changes to what resources. This set of ACLs allows users to change their own passwords without granting them access to systems and attributes they should not be able to access. It also permits delegation of authority without giving up control of the resources themselves. So an admin can delegate account and group management to whomever he chooses without giving up the root password.

CONNEXITOR includes a comprehensive set of command-line interactive and batch-mode tools to help the administrator perform correlation of accounts to users and to manage accounts, groups, and resources. Since the interface to the system is primarily through secure LDAP, those who wish to develop their own custom administrative front ends can do so easily. CONNEXITOR can also be easily interfaced to external HR and ERP systems to automate the vetting of employees into an organization's IT infrastructure without the intervention of overworked system administrators.

Those of you familiar with OpenLDAP and OpenSSL have probably figured out by now that this product is lightweight, flexible, and robust. But this is only the first step. CONNEXITOR already has in it the elements needed to automate the process of account and resource management. This capability will allow an admin to leverage his ability to manage resources in large collections of machines by creating accounts and mediating security settings to grant access to resources by merely adding or removing a user from a group! Symas will soon be releasing the tools that permit access to this automation capability. In addition, we will be releasing a comprehensive web-based interface and a Single Sign-On capability to allow complete user name and password management for applications.

We wanted CONNEXITOR to be to be accessible to the people who do the work, so we set the cost at only a few dollars per managed account. The architecture allows, and even promotes, organic growth, so you can start with a small investment, realize a return on that investment, and add more managed systems as you need to. New management agents, even for different systems, are available at no cost- you pay only for accounts you manage with them. Finally, the Beta costs nothing and so you have an opportunity to try the product risk-free.

Symas is a heavy contributor to the Open Software community. Because CONNEXITOR makes use of open software components, we have made substantial improvements to them and fixed many bugs. We are currently in the process of rolling these fixes and improvements back into the source base and will continue to do so at the conclusion of each release cycle.