On 3/29/2011 2:27 PM, Ray Van Dolson wrote:
That said, if you have a variety of platforms and OS'es to support, Likewise is a great option... (never tried Centrify)
Do either/both of these let you add accounts for the Linux side that don't propagate back to AD? I'd like something to use in a lab so existing users/passwords didn't take extra work but we could still add accounts that don't exist (and we don't want) in AD. Easy hooks for apache and java web services to see the combined accounts would be a big plus.
My understanding is you'd have to rely on local accounts or a second centralized authentication source (probably done via NSS not via Likewise directly).
Maybe allowing the accounts to float back to AD but somehow restricting them for Unix login use only...
(We have a long-standing project to migrate off NIS to AD-only -- preserving UID's/GID's and defining the sort of access requirements you describe is a bit of a challenge).
I thought I had seen tools that can proxy LDAP services to multiple backends, with one of them being AD but at the time it seemed too complicated so I set up pam_smb and mod_auth_pam in apache (and set up apache to not require account info). That lets me add local accounts to a machine for the people who either need login-type services or aren't in AD and still accept passwords that are in AD. But, it has to be repeated per machine and I don't have java web services working with it. What I'd like to have is an LDAP server or even a separate AD server to manage extra users and then a proxy service that combines the logins from both sources for any number of clients. Basically I want to trust both authentication sources, but not add mine to the main AD or have it trust mine, and I want it in a way that apache, java, etc. already understand, besides being usable for login service.