JohnS wrote:
Web Services via SOAP can be your "Middle Ware" (man in the middle) to authentication here.
I thought that was what PAM was for. I just don't know how to glue it into someone else's java web app (like OpenNMS or Pentaho's server).
True PAM can probally work for some. It seems opennms does not support PAM? Then my guess is that is where Apache Axis and SOAP or a SOAP Proxy come in.
http://www.opennms.org/index.php/Active_Directory_Integration I know you can do that. Not sure on the local account side.
That's the problem - PAM stacks methods nicely. Most other things can use multiples too, but you have to configure each app in weird ways to do it. That's why I think configuring PAM and apps that don't use PAM to use LDAP would be the cleanest approach, then configure the LDAP server side to merge the accounts I want - or make it look that way by proxying.
Pentaho's looks to much like a Lockin App for anything. Not familiar with it either.
It's really tomcat under the covers on the server side (so probably acecgi like opennms). The code is all available in the community edition - but it is enough of a monster that you probably would need the support if you needed to do more than a few reports, which is all I'm doing so far. It's probably overkill but I really hate doing report layout work manually and it has a nice interactive design tool that publishes the runtime to the web server where it can generate html, pdf, or a spreadsheet download.
Your AD admin is going to have to help out in some way for this to happen. No way around it I see.
He doesn't now, using PAM with both smb and local password authentication.
If he does not know he needs his brain checked out.
Machines using smb auth don't have to join the domain - and it doesn't need any special support. For apache, mod_auth_pam works, but isn't a stock centos module. I think you are supposed to be able to use mod_auth_sasl with pam these days but I haven't tried to convert yet.
I don't want anonymous accounts. I just want to be able to add some that are unrelated to AD, but I'd prefer to not have to add them to every machine.
The bad part is adding them to every machine and I would be against that.
So far an occasional 'addusr somebody; passwd somebody' has been easier than setting up a network database that I can trust.
I think PAM with smb and ldap would sort-of work but it still doesn't seem like the right approach and so far it has been easier to manage a small number of exceptions on a small number of separate machines. I thought there were LDAP servers that could proxy for multiple other servers where some of those might be AD's.
I guess the optimal thing to do is figure out every way all apps can authenticate and go from there.
I think that's near infinite - especially if you try to set something up for future use.
OR get a machine with hardware that can handle all the runnng apps and auth at the machine level. I'm just thinking in terms of a Blade Server. Just a side note I know you can proxy SOAP requests but not sure on ldap.
So far there aren't that many machines or users that need exceptions from what smb_auth provides - but I'd probably try to migrate more stuff currently on windows boxes if everything was seamless.
-- Les Mikesell lesmikesell@gmail.com