[CentOS] authentication loosely tied to active directory?
Les Mikesell
lesmikesell at gmail.com
Tue Jun 16 19:40:39 UTC 2009
JohnS wrote:
>
>> What I'm looking for is a network service that will work across apache
>> and java web services (without requiring a login account) that
>> transparently merges AD accounts with others that I can control
>> separately, and also to be able to use those same logins and passwords
>> for linux system logins where accounts are specifically created. That
>> is, all AD & linux accounts should work for web services and Linux
>> account logins should be able to use AD passwords where they exist.
>>
>> I'd think this would be a fairly common situation where the bulk of
>> company operations are on desktops controlled by AD but there are some
>> developers using Linux and some infrastructure resources using it
>> (subversion, wikis and other web services, etc.) and some users that
>> don't map to employees.
>>
> ---
> Web Services via SOAP can be your "Middle Ware" (man in the middle) to
> authentication here.
I thought that was what PAM was for. I just don't know how to glue it
into someone else's java web app (like OpenNMS or Pentaho's server).
> Your AD admin is going to have to help out in some
> way for this to happen. No way around it I see.
He doesn't now, using PAM with both smb and local password authentication.
> Anonymous accounts can
> be mapped to the the appropiate AD account (IWAM_User - depends on
> service app). Firefox can use the LDAP Plugin, Apache auth can be mapped
> to LDAP on AD. Once an AD account is locked out he will know anyway.
I don't want anonymous accounts. I just want to be able to add some
that are unrelated to AD, but I'd prefer to not have to add them to
every machine.
> Maybe check out MS Web Services Interface and WSDL for AD. It is just
> something to really sit down and think about authentication between
> mixed node systems. Can it be done? Yes. One other solution here
> Enterprise wide would be Citrix.
I think PAM with smb and ldap would sort-of work but it still doesn't
seem like the right approach and so far it has been easier to manage a
small number of exceptions on a small number of separate machines. I
thought there were LDAP servers that could proxy for multiple other
servers where some of those might be AD's.
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list