Administering Accounts without Active Directory


The cluster administrator must decide which account validation method to use to grant users access to the cluster and to the shared data inside the cluster.

For example, if an organization already uses Microsoft's Active Directory product for its email and Windows desktop systems, the system administration staff will naturally be inclined to use Active Directory for cluster account validation. But careful consideration during the design phase of the cluster implementation project should be given to the potential problems that using Active Directory could add to the cluster—in terms of both complexity and reliability.

Using Active Directory for account validation will introduce an additional proprietary high-availability system (assuming you use Microsoft's recommended methodologies for deploying Active Directory) on top of the open source high-availability software stack that was described in Part II of this book. The cluster administrator will have to know both, and if either one fails, the cluster will appear to be inoperable. If Active Directory topples, in other words, it will take the cluster with it. The added complexity of supporting two high-availability systems is therefore likely to decrease the reliability of the cluster.

Fortunately, there are at least three account validation methods available on Linux that have been used in Unix environments for years: local password files, NIS,[1] and LDAP. There are benefits and drawbacks to each of these methods, and no single method is best for all situations. In this case study, we will explore how to build a cluster account validation method that is based on all three of these methods.

Note 

If you build a Zope (or Plone) web cluster (see Chapter 20), you will very likely use the password authentication mechanism built into the Zope Content Management Frame-work (CMF) instead of one of these operating system methods of user authentication.

Legacy Unix Account Administration Methods: The Problem

The NIS and LDAP systems can be deployed using a master server and multiple slave servers that can take over for the master server if it crashes. The problem with these methods is that they can be difficult to set up and cumbersome to administer. (However, many organizations may have them already, so for them, adding a Linux Enterprise Cluster that uses these methods is easy.)

The NIS and LDAP servers can also be placed under Heartbeat's control so that a catastrophic failure of the primary, or master, account authentication server will cause the account authentication resource[2] (NIS or LDAP) to failover to a backup server. The benefit of doing this is that the system administrator only needs to understand one high-availability technique for all services (DNS, NIS, LDAP, email, MySQL, and so on). However, the lone primary NIS or LDAP server can then become a performance bottleneck for the cluster if it is running legacy Unix applications (user credentials may need to be examined more than once to complete a single transaction, for example).

The Best of Both Worlds

In this case study, we will therefore see how to deploy an account authentication system that will support the Linux Enterprise Cluster for an organization that does not already use NIS or LDAP. This hypothetical organization has deployed Active Directory for Windows users but would like to use a different system on its mission-critical business system. Because this organization has several hundred users, a centralized method of administering the accounts is required, but the mission-critical application running on the Linux Enterprise Cluster will be a legacy Unix application that requires multiple account validation operations to complete a single business transaction. Thus, using the local password files is the preferred method. (In fact, this is the method that is currently used on the monolithic Unix server that is running the mission-critical application that the organization would like to move to the Linux Enterprise Cluster.)

[1]Either the NIS or the NIS+ system.

[2]See Part II of this book for a discussion of Heartbeat resources.



The Linux Enterprise Cluster. Build a Highly Available Cluster with Commodity Hardware and Free Software
Linux Enterprise Cluster: Build a Highly Available Cluster with Commodity Hardware and Free Software
ISBN: 1593270364
EAN: 2147483647
Year: 2003
Pages: 219
Authors: Karl Kopper

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net