Hello,
How do you solve the machine policies topic?
I mean - how do you make sure that a Ubuntu machine in your environment
runs according to some policies you specify? Microsoft defined this as a
"Group Policy", perhaps the more general term is "System Configuration
Management".
As we found no product that does this out of the box (not sure about
Centrify, though, but we couldn't afford it), we glued together a number
of components to do the job.
Firstly, we took CFEngine (www.cfengine.com) as the policy "enforcement"
tool. This is a configuration automation tool. A valid choice would be
Puppet as well, though we found CFEngine to be more lightweight and
suits better for laptops. We defined a set of policies or configuration
elements, like domain joining, authentication, firewall, VPN, etc.
Secondly, we used cfgen (http://dozzie.jarowit.net/trac/wiki/cfgen), a
configuration template solution for flexibility.
Thirdly, we used plaintext, YAML-structured files to hold variables used
for templating. This part seems trivial, but we allowed inheritance
between the files, so we created sets of variables depending on country
the machine originated from, the location the machine is in now (mostly
for locating proxy servers and nearest mirror), the Active Directory
domain the machine belongs to etc. We also provided a local override on
the machines so the user can disable most policy enforcements (we
preferred that over the user disabling the whole policy).
Lastly, we decided to get all the possible information about a machine
we could from Active Directory. We acquired:
1. The place in the directory structure (OU) where the machine object
resides, that gave us the machine original location.
2. The IP subnet to AD "Sites and services" mapping, so we were able to
tell by the machine's location where the machine is now.
3. The owner of the machine (managedBy property).
4. The groups a machine belongs to.
Unfortunately, we could not get the native Group Policy properties of an
object nor the ACLs of Active Directory objects. So, instead, we decided
on a group naming convention. If a machine belongs to group called
"policy_certificate", it receives the variables and policies for the
"certificate" set.
I would be glad to learn how other people approached the topic, solved
it? Perhaps there are tools out there that we missed?
Cheers,
Ballock
--
Mailing list: https://launchpad.net/~enterprise-ubuntu
Post to : enterprise-ubuntu@lists.launchpad.net
Unsubscribe : https://launchpad.net/~enterprise-ubuntu
More help : https://help.launchpad.net/ListHelp
