Erick Perez wrote: > Hi, being an off-topic questions with so many vendors involved I had > no definitive place to go to ask but here. So maybe some of the list > members have ideas in mind. > > Currently we manage several switches,firewalls and MS LDAP and Centos > OpenLDAP installations. > We are looking for a "man in the middle" or "framework" to manage > change on our network devices and LDAP-based servers. > So far, using Quest ActiveRoles/Intrust has filled the part of LDAP, > where administrators log into ActiveRoles/Intrust system, generate > changes (delete OU, users, change passwords, etc) then the request has > to be approved by a staff member in Activeroles/intrust. When the > approval is sent to the system, the ActiveRoles/Intrust (and not the > sysadmin) logs into the LDAP systems and perform the changes. This has > proven useful in tracking changes (who did what, when, who approved > it). > We are looking into a similar solution (Quest Software does not have > that for devices) to perform change and control on the routers, > switches and firewalls. There was a tool called pancho (http://www.pancho.org/) that claimed to to do automated router and switch management, but it seems to no longer be supported, and personally, I'd trust a person more than a script with that sort of job. On the other hand, maintaining backup copies of configurations before/after changes is something very worthwhile and not difficult for anything that has text based configurations. Just make sure that changes are copied back and committed to a central version control system like cvs or svn (which you can wrap with viewvc for easy display of history and changes). A tool called rancid (http://www.shrubbery.net/rancid/) will automate this for many routers, switches and firewalls, and will also pick up any unexpected changes. -- Les Mikesell lesmikesell at gmail.com