<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000'>Don't forget security policies and governance... I am in the federal space, but know that Regulations such as Sarbanes-Oxley and HIPAA, FETPA, PCI, FERC, and Gramm--Leach-Bliley and audits are important in the commercial space. Regulations and Compliance force companies to become stricter with IT security and access management. Of course, it’s still possible to be compliant without identity governance, but the odds of encountering mistakes and less than perfect audits rises considerably. Identity governance is the automated control of user identity in order to manage access to company data. Typically, this pertains to business insiders, such as employees, partners, contractors, and so on. Perhaps you need to explain the situation in your bosses bosses boss language... Industries and companies are subject to a web of regulations that impose strict legal requirements with regard to the handling of information. A failure on your organization's part to comply with these laws can lead to fines, costly litigation, negative publicity, and lost business opportunities. Attached is one of our Red Hat Summit slides you can dig threw to get good information on to back your case. Every Slide will just about help you out Best regards, <div>Norman "Mark" St. Laurent Federal Team: Senior Solutions Architect Red Hat 8260 Greensboro Drive, Suite 300 McLean VA, 22102 Email: msl@redhat.com Cell: 703.772.1434 Check this Link out!!! Cool Stuff: http://mil-oss.org/ </div><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;">From: "Duncan Innes" <Duncan.Innes@virginmoney.com> To: "KodaK" <sakodak@gmail.com>, freeipa-users@redhat.com Sent: Tuesday, August 28, 2012 3:19:33 AM Subject: Re: [Freeipa-users] Desperate help requested. > -----Original Message----- > From: freeipa-users-bounces@redhat.com > [mailto:freeipa-users-bounces@redhat.com] On Behalf Of KodaK > Sent: 26 August 2012 05:06 > To: freeipa-users@redhat.com > Subject: [Freeipa-users] Desperate help requested. > > I've just been informed by my boss's boss's boss that, and I > quote from his ridiculous email: > > "we cannot use anything other than MS AD for authentication" > > I've spent months of time and much effort rolling out IPA, > consolidating authentication across our Linux and AIX > machines. To paraphrase Babbage: I am not able rightly to > apprehend the kind of confusion of ideas that could provoke > such a statement. > > Regardless, I need some help. I need some help with > comparisons between FreeIPA and AD, and the problems and > issues one might encounter when trying to authenticate Unix > machines against AD. > Anything that can show IPA being superior to AD for *nix > authentication. Anything at all. We have a similar number > of AIX and Linux servers. We have a week before we have a > meeting to discuss this, and I'd like to be armed to the > teeth, if at all possible. > > Thanks for any help you can give. And wish me luck. > > Thanks, > > --Jason > I faced a similar situation recently, but my version wasn't worded so harshly. The line to take has already been pointed out - IPA managed sudo & SELinux from a central point. These concepts are entirely outwith the capabilities of Active Directory. You could also state the yet-to-be-developed 'A' part of IPA for any Auditing requirements. We also emphasised here that AD was written purely for Windows domains and that the effort put in to allowing extra schema for Unix domains is really not ideal. You should state, if you have not already done so, that you plan to link the AD and IPA domains (via a trust or a sync). That will allay any fears that users will have different passwords or even usernames to access various machines. So your boss's boss's boss can be assured that you are *authenticating* against AD, but you should still be able to have IPA in there to manage the idiosyncrasies of the Unix estate. Hope this helps Duncan Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users </div> </div></body></html>