The company I work for sells data center automation tools to assist with exactly this. I'm not going to say who I work for, nor how much it costs (but it's distinctly NOT cheap).
The basic approach we take with that tool (used by hundreds of large companies) is to integrate LDAP/AD authentication against the corporate directory server. Then, as agents are deployed to the managed servers, permissions control can be setup in the product, which then manages access based on your user/group permissions to a given device group / server class / facility / etc.
As for how we, internally, manage credentials - I'll second @irixman's comment - we do it very very poorly :)
This is a very good question. The two companies I've been at don't have a good handle.
I'd like to hear from some people that have had experience doing this in a way that is manageable and works. My sense of this is that it is a widespread issue that people don't talk about but just sort cope with it.
We're looking to standardize on public keys for password-less authentication and shared group/passwd files. Our testing looks good so far, but we're still trying to smooth over some rough edges.
发布评论
评论(3)
我工作的公司销售数据中心自动化工具来协助解决这个问题。 我不会透露我为谁工作,也不会透露它的费用是多少(但它显然不便宜)。
我们使用该工具(已被数百家大公司使用)的基本方法是针对公司目录服务器集成 LDAP/AD 身份验证。 然后,当代理部署到托管服务器时,可以在产品中设置权限控制,然后根据您的用户/组权限管理对给定设备组/服务器类/设施/等的访问。
至于如何我们在内部管理凭证 - 我会其次@irixman< /a> 的评论 - 我们做得非常非常糟糕:)
The company I work for sells data center automation tools to assist with exactly this. I'm not going to say who I work for, nor how much it costs (but it's distinctly NOT cheap).
The basic approach we take with that tool (used by hundreds of large companies) is to integrate LDAP/AD authentication against the corporate directory server. Then, as agents are deployed to the managed servers, permissions control can be setup in the product, which then manages access based on your user/group permissions to a given device group / server class / facility / etc.
As for how we, internally, manage credentials - I'll second @irixman's comment - we do it very very poorly :)
这个问题问得好。 我曾经待过的两家公司都没有很好的管理。
我想听听一些有过以可管理且有效的方式做到这一点的经验的人的意见。 我的感觉是,这是一个普遍存在的问题,人们不会谈论它,而只是应对它。
问题+1 并加星:-)
This is a very good question. The two companies I've been at don't have a good handle.
I'd like to hear from some people that have had experience doing this in a way that is manageable and works. My sense of this is that it is a widespread issue that people don't talk about but just sort cope with it.
+1 for the question and a star :-)
回答你的问题:非常差。
我们正在寻求标准化用于无密码身份验证和共享组/密码文件的公钥。 到目前为止,我们的测试看起来不错,但我们仍在努力消除一些粗糙的边缘。
To answer your question: very poorly.
We're looking to standardize on public keys for password-less authentication and shared group/passwd files. Our testing looks good so far, but we're still trying to smooth over some rough edges.