I have the opportunity to migrate our entire organization to Linux on
the back end - if I can do it without spending a lot of cash and minimal
disruption to users.
I'd like some suggestions for setting this up, if there are any takers.
I've got about 1.5 years of Unix/Linux experience, coming out of a
Netware/NT environment. I do have the luxury of time, however - if I'm
well on the way by late summer, I'm OK.
We have a few netware servers for file/print, and several NT/Win2K
servers for database, a couple IIS/COM apps, and vertical market
applications. We also have some Linux boxes set up for SMTP, web,
print, and Tomcat Java servlet host.
All desktops (except mine and another fellow geek) are a mix of
Win95/98/2K. No XP (and I'm trying to keep it that way). We have about
300-400 people. Most of our PC's at the line level are shared between
multiple users. We have two overlapping shifts, so in general users
keep their work on a server and take a PC when it becomes available in
the office, so roving-everything would be nice.
A major goal is a unified user account and permissions database. A
single password for our employees, for all resources from Unix and SAMBA
file access to web mail logins. A single place to change their single
password. A single location for group membership, available for
everything from file permissions to Java web application security
purposes. And, I'd like to avoid setting up new user accounts in half a
dozen places like I do now.
Would an LDAP-based accounts database achieve this? Am I correct that
using LDAP via PAM would make LDAP authentication transparent to all
Linux applications? Is LDAP authentication secure over a large,
untrusted network? ALL our networked computers - servers and
workstations - have 24/7 Internet-routable ethernet TCP/IP connections.
I know many of you are aghast, but this is something that's out of my
scope of control at the moment.
Any other options?
Another issue I have to deal with is migrating our ACL-based permissions
to Unix-like permissions under SAMBA. We have a a fairly involved set
of file access rules that I'd have to at least approximate. Is there a
mature, seamless/transparent ACL package for Linux, or a general
algorithm/strategy for mapping ACL's to Unix's UGO's? And, again, could
these group memberships and rules be unified/centralized e.g. via LDAP?
Regarding networking between the Linux servers themselves - given our
inherently insecure environment, NIS might not be the wisest choice. Is
there a more secure alternative?
Finally, assuming there are workable solutions for the unified
accounts/permissions problem - what are the performance penalties (if any)?
As for replacing existing systems, the plan goes something like this:
- Replace the netware file/print with SAMBA
- Replace IIS/COM apps with Java servlets
- Replace our netware-based mail with Maildir, Courier-IMAP, qmail, and
SquirrelMail for web access
- Replace IIS with Apache
- Vertical-market apps that depend on their Windows servers stay there.
The remainder of the work will be porting our apps to Java, and finally
migrating our data from SQL Server to PostgreSQL. This will be somewhat
challenging and time-consuming, but I can do this piece-meal concurrent
with the rest of the conversion. If this part runs beyond summer that's
OK as long as everything works from the users' perspective.
Thanks very much in advance for your insights. Any pointers to (recent,
relevant) books and on-line resources would also be appreciated.