From Mandriva Community Wiki

Enterprise considerations, and the development that must be done to support enterprise deployments are covered here.

Contents 1 Deployment 2 Authentication 2.1 Certificate Management 3 Authorisation and rights management 4 Software management 5 Configuration management 5.1 Host-specific configuration management 5.2 User-specific configuration management 6 Host monitoring 7 Service advertising 8 Data security

MandrivaLinux is currently mostly focused on the consumer desktop the SME server market-space. To expand into enterprise desktop deployments, features aimed at managing massive deployments (1000-50000 desktops) need to be developed and tested.

Enterprise server deployments will be unlikely until Mandriva SA can:

• provide better support and/or support contracts
• certify the distribution for enterprise software (Oracle, etc)
• certify the distribution for enterprise hardware (Dell, EMC etc)

Thus, enterprise server deployments are a way off, but server features that may apply to development desktops and SME deployments should be considered, and enterprise server requirements kept in mind.

Recently, governance issues have started having an impact on security policies, and support for SOX-related issues would be worthwhile. Similarly, other formal frameworks (such as ITIL, COBIT ...) are worthwhile to support.

[edit] Deployment

Current support for automated/unattended installations should be sufficient, it is possible to deploy MandrivaLinux via PXE with multiple configurations etc. Do we need anything else?

[edit] Authentication

Currently, MandrivaLinux supports the configuration of clients for NIS,LDAP and Winbind (non-AD up to Mandrake10 at least) authentication. This needs to be extended to support Kerberos, and thus allow Winbind to support ActiveDirectory (AD support via both winbind and LDAP/krb5 is available in CorporateDesktop3)

On the server side, MandrivaLinux supports the configuration of an NIS server via the Mandrake Wizard (added in Mandrake10). However, NIS cannot be secured, and does not have the many advantages of LDAP. LDAP (and Kerberos) servers must be configurable via GUI tools (should be possible on MandrivaLinux2005 and later)

Authentication should use strong encryption wherever possible. This implies:

• Device authentication with 802.1x (not only for wifi devices)
• Kerberos for all services that can be kerberised
• LDAP with TLS for most applications
  • Certificate management is necessary (to deploy SSL/TLS'd services).

For deployment in larger Windows networks, it must also be possible (with GUI tools) to configure an authentication "gateway" for MandrivaLinux clients. This can be accomplished with Winbind, by storing the SID->uid/gid mappings in LDAP.

For deployment of Windows clients in a MandrivaLinux network, GUI tools must be available to configure Samba for LDAP support (well, there is migration-assistant, which does a lot more, for a price).

[edit] Certificate Management

For a number of aspects above, comprehensive management of SSL certificates must be possible. This includes:

• Providing software to manage a Certificate Authority (such as OpenCA which is available in contrib, or maybe [OpenXPKI http://www.openxpki.org/] when it has been released).
• Integrating enrollment of server certificates (e.g. via autosscep or CertNanny)
• Integrating graphical enrollment for client certificates (OpenCA + browser works, but VPN client/setup GUIs, network configuration tools - for 802.1x), preferably with automatic renewal (or a means of warning the user).

[edit] Authorisation and rights management

Large organisations need to be able to delegate certain rights to certain groups of employees. To reduce the cost of administering a MandrivaLinux network, it is important to provide a consistent method for catering to the majority of these needs for the majority of deployments.

The Windows rights management model is suitable for many larger networks (and can be customised further when necessary), and uses some technologies that are available at present on MandrivaLinux. Currently, samba (3.0.x) can allow management of memberships of users in the standard Windows groups, for example the following groups can be created in LDAP using smbldap-populate: Domain Admins,Domain Users,Domain Guests,Administrators,Users,Guests,Power Users,Account Operators,Server Operators,Print Operators, Backup Operators,Replicator,Domain Computers.

Some applications/services can be configured to heed groups defined only in LDAP or accessible via NSS (such as LDAP itself), for others it would be necessary to publish rules for sudo in LDAP, and provide aliases for the sudo rules.

Provide access via VNC to administrators for easy remote access / diagnostic / support, keeping track of all accesses and letting the end user know his/her computer is under control. (doesn't rfbdrake or krfb/krdc do this?).

Perhaps the use of AAA systems like radius or tacacs+ can provide a bit of this functionality. Too bad the licensing on SESAME is too restrictive to use.

[edit] Software management

For organisations with thousands of computers, it is not feasible to micro-manage each machine, but it is necessary to:

• Ensure that all software required by the users of the machine is installed
• Prevent the installation of software which should not be installed on the machine (ie not allow normal desktops to have a dhcp server installed)
• Manage the software required/allowed/not permitted by groups of machines. Hierarchial support is probably necessary (ie have basic requirements for a "desktop", and a "development desktop" would inherit required packages from "desktop" etc), and it must be possible for machines to be in multiple groups
• Ensure that machines will automatically install the required packages (with periodic automatic checks). This should also allow for automatic package updates.

Since Mandriva Linux 2005 (with the installation of an additional package, urpmi-ldap), it is possible to at least provide centralised urpmi medium configuration.

[edit] Configuration management

[edit] Host-specific configuration management

It must be possible to configure certain host-specific aspects of a machine. As with software management, this should be done via machine groups with inheritance. Aspects that should be considered for configuration management include:

• Hardware repository setup : tuned for specific hardware (laptop, old computers), server specific (RAID...) / desktop
• Software repository setup
• Security settings (msec and draksec on steroids)
• Aesthetics (bootsplash theme, dm theme)
• Settings required for operation in the network (automount maps - this can already be in LDAP?, pam_mount configuration, etc etc)
• Kernel upgrade has to be well thought

[edit] User-specific configuration management

Users should not need to perform any configuration to have a useable system, which must cover at least:

• Proxy settings, home page etc (any other browser related configurations)
• Email / groupware settings (including instant messaging, etc etc)
• Security settings (ie screensaver lock, antivirus, spam filter, etc)
• automatic update of Software Component Item (SCI) in centralized database (software management) at each successful update

Additionally, aesthetics must also be configurable:

• Menus
• Default desktop (ie corporate background)
• Fonts, colours etc

It must be possible to (most of these are currently possible with KDE at least via config files ... but it needs to go enterprise-wide):

• Provide defaults
• Mandate settings
• Update defaults

As above, all these must be configurable via groups of users.

For KDE, there is an implementation underway.

[edit] Host monitoring

Especially for servers, automatic host monitoring (ie Nagios) would be cool. Maybe we could know what to monitor on which servers via something like Kerberos-style SRV records (see below).

[edit] Service advertising

We need integrated support for Kerberos-style SRV records

[edit] Data security

Automatic support for data security (ie backups etc) must be available.