← Back to team overview

enterprise-ubuntu team mailing list archive

Re: Machine policies

 

Hello, Chris,

Thanks for the valid point here with the licenses. I will try to verify
this with the legal department and let you know.

Cheers,
Ballock


On Tue, Feb 12, 2013 at 1:32 PM, Chris Rowson
<christopherrowson@xxxxxxxxx>wrote:

> Hi there,
>
> That's really interesting (I'm going to squirrel that info away!).
>
> How do you deal with Active Directory licensing? Are you buying a Server
> Client Access Licenses for each Ubuntu machine?
>
> Cheers,
>
> Chris
>
>
> On Tue, Feb 12, 2013 at 12:26 PM, Bolesław Tokarski <
> boleslaw.tokarski@xxxxxxxxx> wrote:
>
>> Hello,
>>
>> How do you solve the machine policies topic?
>>
>> I mean - how do you make sure that a Ubuntu machine in your environment
>> runs according to some policies you specify? Microsoft defined this as a
>> "Group Policy", perhaps the more general term is "System Configuration
>> Management".
>>
>> As we found no product that does this out of the box (not sure about
>> Centrify, though, but we couldn't afford it), we glued together a number of
>> components to do the job.
>>
>> Firstly, we took CFEngine (www.cfengine.com) as the policy "enforcement"
>> tool. This is a configuration automation tool. A valid choice would be
>> Puppet as well, though we found CFEngine to be more lightweight and suits
>> better for laptops. We defined a set of policies or configuration elements,
>> like domain joining, authentication, firewall, VPN, etc.
>>
>> Secondly, we used cfgen (http://dozzie.jarowit.net/**trac/wiki/cfgen<http://dozzie.jarowit.net/trac/wiki/cfgen>),
>> a configuration template solution for flexibility.
>>
>> Thirdly, we used plaintext, YAML-structured files to hold variables used
>> for templating. This part seems trivial, but we allowed inheritance between
>> the files, so we created sets of variables depending on country the machine
>> originated from, the location the machine is in now (mostly for locating
>> proxy servers and nearest mirror), the Active Directory domain the machine
>> belongs to etc. We also provided a local override on the machines so the
>> user can disable most policy enforcements (we preferred that over the user
>> disabling the whole policy).
>>
>> Lastly, we decided to get all the possible information about a machine we
>> could from Active Directory. We acquired:
>> 1. The place in the directory structure (OU) where the machine object
>> resides, that gave us the machine original location.
>> 2. The IP subnet to AD "Sites and services" mapping, so we were able to
>> tell by the machine's location where the machine is now.
>> 3. The owner of the machine (managedBy property).
>> 4. The groups a machine belongs to.
>>
>> Unfortunately, we could not get the native Group Policy properties of an
>> object nor the ACLs of Active Directory objects. So, instead, we decided on
>> a group naming convention. If a machine belongs to group called
>> "policy_certificate", it receives the variables and policies for the
>> "certificate" set.
>>
>> I would be glad to learn how other people approached the topic, solved
>> it? Perhaps there are tools out there that we missed?
>>
>> Cheers,
>> Ballock
>>
>>
>> --
>> Mailing list: https://launchpad.net/~**enterprise-ubuntu<https://launchpad.net/~enterprise-ubuntu>
>> Post to     : enterprise-ubuntu@lists.**launchpad.net<enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx>
>> Unsubscribe : https://launchpad.net/~**enterprise-ubuntu<https://launchpad.net/~enterprise-ubuntu>
>> More help   : https://help.launchpad.net/**ListHelp<https://help.launchpad.net/ListHelp>
>>
>
>
> --
> Mailing list: https://launchpad.net/~enterprise-ubuntu
> Post to     : enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~enterprise-ubuntu
> More help   : https://help.launchpad.net/ListHelp
>
>

References