ACF2 as you say on the mainframe is fine; however, Unix does not generally
support (out of the box) the level of security that ACF2 implements. The
problem I am dealing with, and I misspelled previously, is that there is
little to no public discussion of this pam_acf2 work and no vendor buy in
that I have heard. You mention that if you have acf2 running then go with
it, and yes we already have acf2 running. But our problem is we have 500
Solaris servers that each have their own passwd file. I believe the issue
here is not with getting users into a new datastore, as I have proven this
is simple to do with LDAP using the padl migration tools. If I were to
recommend pam_acf2 I wouldn't want to recommend it because it supports
z/Linux, I would want to recommend it because it was developed for and
supported on bigger name platforms like Solaris or AIX. To me the fact
that it was released for z/Linux says that it was designed for a mainframe
shop that has decided to play with Linux or shop that is looking to move
EVERYTHING back to the mainframe. We on the other hand are a shop that
supports on a daily basis over 1000 systems across the country (not
including LPARs which are today more centrally located than our
Distributed Systems). LDAP can be deployed with replication to be closer
to the systems, it seems that "big iron and its price tag" times the
number of sites is a bit over kill for a "directory service" that will
typically run just fine on a $2000 - $3000 1U server.
Eric Sammons
(804)697-3925
FRIT - Unix Systems
"Post, Mark K" <[EMAIL PROTECTED]>
Sent by: Linux on 390 Port <[EMAIL PROTECTED]>
02/14/2004 03:52 PM
Please respond to Linux on 390 Port
To: [EMAIL PROTECTED]
cc:
Subject: Re: Any looking at CA-ACF2?
I don't know that I would argue against it at all. As Vincent pointed
out,
the interface is really based on LDAP anyway, with some modifications. If
your shop already has ACF2 running somewhere else, why build yet another
repository of user authentication information?
I do have some concerns with having the authentication service outside the
box. Networks make me paranoid because they seem to break at all the
wrong
times. But, if there is a way to have redundancy, I would say go for it.
I've used ACF2 on MVS for decades. I like it a lot. It's one of the
reasons why I don't worry about rogue employees getting to things they
shouldn't on my MVS systems, let alone "outsiders."
Mark Post
-----Original Message-----
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] Behalf Of
Eric Sammons
Sent: Saturday, February 14, 2004 1:22 AM
To: [EMAIL PROTECTED]
Subject: Any looking at CA-ACF2?
Our security group is looking at CA-ACF2 and the pam_acf2 library offering
from CA. There claim is that CA has committed to releasing this source to
the open source community. Thus far I have only seen a white paper that
states it supports only Linux installs on the Z platform. I am arguing
that with wide acceptance and support this solution is the wrong solution.
I have instead suggested that we go with an LDAP pam_ldap.so solution.
Given our environment includes Most Unix platforms available to the masses
and that z/Linux is only just now breaking ground in our environment the
CA-ACF2 pam library solution is not the best solution. How our security
group opts to secure VM is really of no concern to me, CA-ACF2 at this
layer is fine with me, it is the pam_acf2 library that concerns me.
Has anyone else looked at this solution? Any thoughts? Any ideas how to
argue against and provide a stronger case?
Thanks!
Eric Sammons
