Les Mikesell
2009-Jun-05 17:00 UTC
[CentOS] authentication loosely tied to active directory?
What's the best authentication scheme when you are dealing with an active directory that someone else controls? I've been using pam configured for smb and local passwords where a local account is needed for real logins (but either the domain or local password will work) and web services don't require a local account. That's most of the functionality I want and it doesn't take pre-arrangement with the AD administrator, but I have to glue mod_auth_pam into httpd and I'm not sure how to duplicate it for java web services. Is there a way to use an LDAP proxy in a similar way so I can add accounts of my own but also accept anything from one or more AD's? Or some better approach entirely? -- Les Mikesell lesmikesell at gmail.com
Ross Walker
2009-Jun-05 22:29 UTC
[CentOS] authentication loosely tied to active directory?
On Jun 5, 2009, at 1:00 PM, Les Mikesell <lesmikesell at gmail.com> wrote:> What's the best authentication scheme when you are dealing with an > active directory that someone else controls? I've been using pam > configured for smb and local passwords where a local account is needed > for real logins (but either the domain or local password will work) > and > web services don't require a local account. That's most of the > functionality I want and it doesn't take pre-arrangement with the AD > administrator, but I have to glue mod_auth_pam into httpd and I'm not > sure how to duplicate it for java web services. > > Is there a way to use an LDAP proxy in a similar way so I can add > accounts of my own but also accept anything from one or more AD's? Or > some better approach entirely?We use winbind with rid mapping for user/group ids and kerberos for authentication where I am and it works well and provides SSO for the whole windows domain, even LDAP which we use as an address book. You can map ranges of user/group ids to particular domains and it doesn't require any local accounts or manual setting of user ids. You can map those winbind accounts to unix groups globally through NIS. If your network is large setup a couple of rid mapping servers with winbind that then re-export those maps through NIS to keep things consistent. Just make sure your NIS make maps uses getent and winbind is set to enumerate user/groups. Make sure no passwords are in there, only kerberos accounts. -Ross