[CentOS] authentication loosely tied to active directory?
Les Mikesell
lesmikesell at gmail.com
Tue Jun 16 21:25:04 UTC 2009
JohnS wrote:
>
>>> Web Services via SOAP can be your "Middle Ware" (man in the middle) to
>>> authentication here.
>> I thought that was what PAM was for. I just don't know how to glue it
>> into someone else's java web app (like OpenNMS or Pentaho's server).
>
> True PAM can probally work for some. It seems opennms does not support
> PAM? Then my guess is that is where Apache Axis and SOAP or a SOAP Proxy
> come in.
>
> http://www.opennms.org/index.php/Active_Directory_Integration
> I know you can do that. Not sure on the local account side.
That's the problem - PAM stacks methods nicely. Most other things can
use multiples too, but you have to configure each app in weird ways to
do it. That's why I think configuring PAM and apps that don't use PAM
to use LDAP would be the cleanest approach, then configure the LDAP
server side to merge the accounts I want - or make it look that way by
proxying.
> Pentaho's
> looks to much like a Lockin App for anything. Not familiar with it
> either.
It's really tomcat under the covers on the server side (so probably
acecgi like opennms). The code is all available in the community
edition - but it is enough of a monster that you probably would need the
support if you needed to do more than a few reports, which is all I'm
doing so far. It's probably overkill but I really hate doing report
layout work manually and it has a nice interactive design tool that
publishes the runtime to the web server where it can generate html, pdf,
or a spreadsheet download.
>>> Your AD admin is going to have to help out in some
>>> way for this to happen. No way around it I see.
>> He doesn't now, using PAM with both smb and local password authentication.
>>
> If he does not know he needs his brain checked out.
Machines using smb auth don't have to join the domain - and it doesn't
need any special support. For apache, mod_auth_pam works, but isn't a
stock centos module. I think you are supposed to be able to use
mod_auth_sasl with pam these days but I haven't tried to convert yet.
>> I don't want anonymous accounts. I just want to be able to add some
>> that are unrelated to AD, but I'd prefer to not have to add them to
>> every machine.
>
> The bad part is adding them to every machine and I would be against
> that.
So far an occasional 'addusr somebody; passwd somebody' has been easier
than setting up a network database that I can trust.
>> I think PAM with smb and ldap would sort-of work but it still doesn't
>> seem like the right approach and so far it has been easier to manage a
>> small number of exceptions on a small number of separate machines. I
>> thought there were LDAP servers that could proxy for multiple other
>> servers where some of those might be AD's.
>
> I guess the optimal thing to do is figure out every way all apps
> can authenticate and go from there.
I think that's near infinite - especially if you try to set something up
for future use.
> OR get a machine with hardware
> that can handle all the runnng apps and auth at the machine level.
> I'm just thinking in terms of a Blade Server. Just a side note I know
> you can proxy SOAP requests but not sure on ldap.
So far there aren't that many machines or users that need exceptions
from what smb_auth provides - but I'd probably try to migrate more stuff
currently on windows boxes if everything was seamless.
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list