What's the best authentication scheme when you are dealing with an active directory that someone else controls? I've been using pam configured for smb and local passwords where a local account is needed for real logins (but either the domain or local password will work) and web services don't require a local account. That's most of the functionality I want and it doesn't take pre-arrangement with the AD administrator, but I have to glue mod_auth_pam into httpd and I'm not sure how to duplicate it for java web services.
Is there a way to use an LDAP proxy in a similar way so I can add accounts of my own but also accept anything from one or more AD's? Or some better approach entirely?
On Jun 5, 2009, at 1:00 PM, Les Mikesell lesmikesell@gmail.com wrote:
What's the best authentication scheme when you are dealing with an active directory that someone else controls? I've been using pam configured for smb and local passwords where a local account is needed for real logins (but either the domain or local password will work) and web services don't require a local account. That's most of the functionality I want and it doesn't take pre-arrangement with the AD administrator, but I have to glue mod_auth_pam into httpd and I'm not sure how to duplicate it for java web services.
Is there a way to use an LDAP proxy in a similar way so I can add accounts of my own but also accept anything from one or more AD's? Or some better approach entirely?
We use winbind with rid mapping for user/group ids and kerberos for authentication where I am and it works well and provides SSO for the whole windows domain, even LDAP which we use as an address book.
You can map ranges of user/group ids to particular domains and it doesn't require any local accounts or manual setting of user ids.
You can map those winbind accounts to unix groups globally through NIS.
If your network is large setup a couple of rid mapping servers with winbind that then re-export those maps through NIS to keep things consistent. Just make sure your NIS make maps uses getent and winbind is set to enumerate user/groups. Make sure no passwords are in there, only kerberos accounts.
-Ross
On Fri, Jun 5, 2009 at 5:29 PM, Ross Walkerrswwalker@gmail.com wrote:
On Jun 5, 2009, at 1:00 PM, Les Mikesell lesmikesell@gmail.com wrote:
What's the best authentication scheme when you are dealing with an active directory that someone else controls? I've been using pam configured for smb and local passwords where a local account is needed for real logins (but either the domain or local password will work) and web services don't require a local account. That's most of the functionality I want and it doesn't take pre-arrangement with the AD administrator, but I have to glue mod_auth_pam into httpd and I'm not sure how to duplicate it for java web services.
Is there a way to use an LDAP proxy in a similar way so I can add accounts of my own but also accept anything from one or more AD's? Or some better approach entirely?
We use winbind with rid mapping for user/group ids and kerberos for authentication where I am and it works well and provides SSO for the whole windows domain, even LDAP which we use as an address book.
You can map ranges of user/group ids to particular domains and it doesn't require any local accounts or manual setting of user ids.
You can map those winbind accounts to unix groups globally through NIS.
If your network is large setup a couple of rid mapping servers with winbind that then re-export those maps through NIS to keep things consistent. Just make sure your NIS make maps uses getent and winbind is set to enumerate user/groups. Make sure no passwords are in there, only kerberos accounts.
-Ross
Hey, Ross:
How do you do this without cooperation from the administrator of the AD servers? I can't make any progress at all as long as the administrators tell me to go to hell. pam_smb is the only way I can make this work without administrator intervention
Paul Johnson wrote:
On Fri, Jun 5, 2009 at 5:29 PM, Ross Walkerrswwalker@gmail.com wrote:
On Jun 5, 2009, at 1:00 PM, Les Mikesell lesmikesell@gmail.com wrote:
What's the best authentication scheme when you are dealing with an active directory that someone else controls? I've been using pam configured for smb and local passwords where a local account is needed for real logins (but either the domain or local password will work) and web services don't require a local account. That's most of the functionality I want and it doesn't take pre-arrangement with the AD administrator, but I have to glue mod_auth_pam into httpd and I'm not sure how to duplicate it for java web services.
Is there a way to use an LDAP proxy in a similar way so I can add accounts of my own but also accept anything from one or more AD's? Or some better approach entirely?
We use winbind with rid mapping for user/group ids and kerberos for authentication where I am and it works well and provides SSO for the whole windows domain, even LDAP which we use as an address book.
You can map ranges of user/group ids to particular domains and it doesn't require any local accounts or manual setting of user ids.
You can map those winbind accounts to unix groups globally through NIS.
If your network is large setup a couple of rid mapping servers with winbind that then re-export those maps through NIS to keep things consistent. Just make sure your NIS make maps uses getent and winbind is set to enumerate user/groups. Make sure no passwords are in there, only kerberos accounts.
-Ross
Hey, Ross:
How do you do this without cooperation from the administrator of the AD servers? I can't make any progress at all as long as the administrators tell me to go to hell. pam_smb is the only way I can make this work without administrator intervention
Same here - which is why I raised the question. Although I probably could get permission to join the domain I want to be able to add users on the Linux side that don't exist in AD. Pam_smb works but I think something that used LDAP would be better if the ldap server could have local entries and proxy for the AD.
Same here - which is why I raised the question. Although I probably could get permission to join the domain I want to be able to add users on the Linux side that don't exist in AD. Pam_smb works but I think something that used LDAP would be better if the ldap server could have local entries and proxy for the AD.
The strategy I took was far from best practices in my opinion but was really the best solution for us at the time we needed it (including AD licensing costs and several disparate facilities across the country).
I have all of my servers use the pam_ldap module in addition to setting my nsswitch.conf to use ldap. Accounts in my openldap server which also exist in AD and which I would like to authenticate against use a local saslauthd daemon to support kerberos5 to our AD infrastructure. Accounts which do not exist in AD and I don't want them to are added to openldap as well but because of the value of the userPassword attribute they use local authentication instead of passing the request to saslauthd. Basically, I only use AD for authentication (SSO) when needed (typically for humans) and openldap for universal daemon accounts or other ancillary type accounts (plus rfc2307 type NIS data). Modifying the AD schema to support rfc2307 was not an option at the time either.
This is far from elegant because many ldap attributes must be duplicated and made consistent in both AD and openldap but it has worked out quite well for us. The more sophisticated overlays weren't available to us when we rolled this out and I wasn't really familiar with any solid and free meta directory servers. I wonder if I could have done something with referrals for the ldap attributes that are duplicated... or does anyone recommend a solid and free meta directory server? Hope this helps someone.
On Jun 16, 2009, at 2:04 AM, Les Mikesell lesmikesell@gmail.com wrote:
Paul Johnson wrote:
On Fri, Jun 5, 2009 at 5:29 PM, Ross Walkerrswwalker@gmail.com wrote:
On Jun 5, 2009, at 1:00 PM, Les Mikesell lesmikesell@gmail.com wrote:
What's the best authentication scheme when you are dealing with an active directory that someone else controls? I've been using pam configured for smb and local passwords where a local account is needed for real logins (but either the domain or local password will work) and web services don't require a local account. That's most of the functionality I want and it doesn't take pre-arrangement with the AD administrator, but I have to glue mod_auth_pam into httpd and I'm not sure how to duplicate it for java web services.
Is there a way to use an LDAP proxy in a similar way so I can add accounts of my own but also accept anything from one or more AD's? Or some better approach entirely?
We use winbind with rid mapping for user/group ids and kerberos for authentication where I am and it works well and provides SSO for the whole windows domain, even LDAP which we use as an address book.
You can map ranges of user/group ids to particular domains and it doesn't require any local accounts or manual setting of user ids.
You can map those winbind accounts to unix groups globally through NIS.
If your network is large setup a couple of rid mapping servers with winbind that then re-export those maps through NIS to keep things consistent. Just make sure your NIS make maps uses getent and winbind is set to enumerate user/groups. Make sure no passwords are in there, only kerberos accounts.
-Ross
Hey, Ross:
How do you do this without cooperation from the administrator of the AD servers? I can't make any progress at all as long as the administrators tell me to go to hell. pam_smb is the only way I can make this work without administrator intervention
Same here - which is why I raised the question. Although I probably could get permission to join the domain I want to be able to add users on the Linux side that don't exist in AD. Pam_smb works but I think something that used LDAP would be better if the ldap server could have local entries and proxy for the AD.
To use LDAP there needs to be uid/gid/home/shell attributes set first, which if it isn't available probably won't be.
To use winbind+kerberos you need a machine account in the domain that you have the rights to modify the attributes of (samba list can get you the specific ones).
If you can get that, then set up kerberos per your domain, then join the domain with a 'net ads join -U <username>'
If all you want is local user accounts with domain rights you could just setup kerberos and pam_krb5 to authenticate against the domain. Then you'll get a TGT on login which most apps can use for SSO.
I can post specifics if you let me know your setup.
-Ross
On Mon, 2009-06-15 at 22:30 -0500, Paul Johnson wrote:
On Fri, Jun 5, 2009 at 5:29 PM, Ross Walkerrswwalker@gmail.com wrote:
On Jun 5, 2009, at 1:00 PM, Les Mikesell lesmikesell@gmail.com wrote:
What's the best authentication scheme when you are dealing with an active directory that someone else controls? I've been using pam configured for smb and local passwords where a local account is needed for real logins (but either the domain or local password will work) and web services don't require a local account. That's most of the functionality I want and it doesn't take pre-arrangement with the AD administrator, but I have to glue mod_auth_pam into httpd and I'm not sure how to duplicate it for java web services.
If this is java web services your having the problem with you can also use kerberos with SOAP/XML/RPC. But the catch is only 128Bit Encryption.
Another option maybe LDAP under Apache.
john
JohnS wrote:
On Mon, 2009-06-15 at 22:30 -0500, Paul Johnson wrote:
On Fri, Jun 5, 2009 at 5:29 PM, Ross Walkerrswwalker@gmail.com wrote:
On Jun 5, 2009, at 1:00 PM, Les Mikesell lesmikesell@gmail.com wrote:
What's the best authentication scheme when you are dealing with an active directory that someone else controls? I've been using pam configured for smb and local passwords where a local account is needed for real logins (but either the domain or local password will work) and web services don't require a local account. That's most of the functionality I want and it doesn't take pre-arrangement with the AD administrator, but I have to glue mod_auth_pam into httpd and I'm not sure how to duplicate it for java web services.
If this is java web services your having the problem with you can also use kerberos with SOAP/XML/RPC. But the catch is only 128Bit Encryption.
Don't forget that I want it to honor system accounts too - or at least some that aren't in AD.
Another option maybe LDAP under Apache.
What I'm looking for is a network service that will work across apache and java web services (without requiring a login account) that transparently merges AD accounts with others that I can control separately, and also to be able to use those same logins and passwords for linux system logins where accounts are specifically created. That is, all AD & linux accounts should work for web services and Linux account logins should be able to use AD passwords where they exist.
I'd think this would be a fairly common situation where the bulk of company operations are on desktops controlled by AD but there are some developers using Linux and some infrastructure resources using it (subversion, wikis and other web services, etc.) and some users that don't map to employees.
On Tue, 2009-06-16 at 11:43 -0500, Les Mikesell wrote:
JohnS wrote: What I'm looking for is a network service that will work across apache and java web services (without requiring a login account) that transparently merges AD accounts with others that I can control separately, and also to be able to use those same logins and passwords for linux system logins where accounts are specifically created. That is, all AD & linux accounts should work for web services and Linux account logins should be able to use AD passwords where they exist.
I'd think this would be a fairly common situation where the bulk of company operations are on desktops controlled by AD but there are some developers using Linux and some infrastructure resources using it (subversion, wikis and other web services, etc.) and some users that don't map to employees.
--- Web Services via SOAP can be your "Middle Ware" (man in the middle) to authentication here. Your AD admin is going to have to help out in some way for this to happen. No way around it I see. Anonymous accounts can be mapped to the the appropiate AD account (IWAM_User - depends on service app). Firefox can use the LDAP Plugin, Apache auth can be mapped to LDAP on AD. Once an AD account is locked out he will know anyway.
Maybe check out MS Web Services Interface and WSDL for AD. It is just something to really sit down and think about authentication between mixed node systems. Can it be done? Yes. One other solution here Enterprise wide would be Citrix.
john
JohnS wrote:
What I'm looking for is a network service that will work across apache and java web services (without requiring a login account) that transparently merges AD accounts with others that I can control separately, and also to be able to use those same logins and passwords for linux system logins where accounts are specifically created. That is, all AD & linux accounts should work for web services and Linux account logins should be able to use AD passwords where they exist.
I'd think this would be a fairly common situation where the bulk of company operations are on desktops controlled by AD but there are some developers using Linux and some infrastructure resources using it (subversion, wikis and other web services, etc.) and some users that don't map to employees.
Web Services via SOAP can be your "Middle Ware" (man in the middle) to authentication here.
I thought that was what PAM was for. I just don't know how to glue it into someone else's java web app (like OpenNMS or Pentaho's server).
Your AD admin is going to have to help out in some way for this to happen. No way around it I see.
He doesn't now, using PAM with both smb and local password authentication.
Anonymous accounts can be mapped to the the appropiate AD account (IWAM_User - depends on service app). Firefox can use the LDAP Plugin, Apache auth can be mapped to LDAP on AD. Once an AD account is locked out he will know anyway.
I don't want anonymous accounts. I just want to be able to add some that are unrelated to AD, but I'd prefer to not have to add them to every machine.
Maybe check out MS Web Services Interface and WSDL for AD. It is just something to really sit down and think about authentication between mixed node systems. Can it be done? Yes. One other solution here Enterprise wide would be Citrix.
I think PAM with smb and ldap would sort-of work but it still doesn't seem like the right approach and so far it has been easier to manage a small number of exceptions on a small number of separate machines. I thought there were LDAP servers that could proxy for multiple other servers where some of those might be AD's.
On Tue, 2009-06-16 at 14:40 -0500, Les Mikesell wrote:
JohnS wrote:
What I'm looking for is a network service that will work across apache and java web services (without requiring a login account) that transparently merges AD accounts with others that I can control separately, and also to be able to use those same logins and passwords for linux system logins where accounts are specifically created. That is, all AD & linux accounts should work for web services and Linux account logins should be able to use AD passwords where they exist.
I'd think this would be a fairly common situation where the bulk of company operations are on desktops controlled by AD but there are some developers using Linux and some infrastructure resources using it (subversion, wikis and other web services, etc.) and some users that don't map to employees.
Web Services via SOAP can be your "Middle Ware" (man in the middle) to authentication here.
I thought that was what PAM was for. I just don't know how to glue it into someone else's java web app (like OpenNMS or Pentaho's server).
True PAM can probally work for some. It seems opennms does not support PAM? Then my guess is that is where Apache Axis and SOAP or a SOAP Proxy come in.
http://www.opennms.org/index.php/Active_Directory_Integration I know you can do that. Not sure on the local account side. Pentaho's looks to much like a Lockin App for anything. Not familiar with it either.
Your AD admin is going to have to help out in some way for this to happen. No way around it I see.
He doesn't now, using PAM with both smb and local password authentication.
If he does not know he needs his brain checked out.
I don't want anonymous accounts. I just want to be able to add some that are unrelated to AD, but I'd prefer to not have to add them to every machine.
The bad part is adding them to every machine and I would be against that.
I think PAM with smb and ldap would sort-of work but it still doesn't seem like the right approach and so far it has been easier to manage a small number of exceptions on a small number of separate machines. I thought there were LDAP servers that could proxy for multiple other servers where some of those might be AD's.
I guess the optimal thing to do is figure out every way all apps can authenticate and go from there. OR get a machine with hardware that can handle all the runnng apps and auth at the machine level. I'm just thinking in terms of a Blade Server. Just a side note I know you can proxy SOAP requests but not sure on ldap.
john
JohnS wrote:
Web Services via SOAP can be your "Middle Ware" (man in the middle) to authentication here.
I thought that was what PAM was for. I just don't know how to glue it into someone else's java web app (like OpenNMS or Pentaho's server).
True PAM can probally work for some. It seems opennms does not support PAM? Then my guess is that is where Apache Axis and SOAP or a SOAP Proxy come in.
http://www.opennms.org/index.php/Active_Directory_Integration I know you can do that. Not sure on the local account side.
That's the problem - PAM stacks methods nicely. Most other things can use multiples too, but you have to configure each app in weird ways to do it. That's why I think configuring PAM and apps that don't use PAM to use LDAP would be the cleanest approach, then configure the LDAP server side to merge the accounts I want - or make it look that way by proxying.
Pentaho's looks to much like a Lockin App for anything. Not familiar with it either.
It's really tomcat under the covers on the server side (so probably acecgi like opennms). The code is all available in the community edition - but it is enough of a monster that you probably would need the support if you needed to do more than a few reports, which is all I'm doing so far. It's probably overkill but I really hate doing report layout work manually and it has a nice interactive design tool that publishes the runtime to the web server where it can generate html, pdf, or a spreadsheet download.
Your AD admin is going to have to help out in some way for this to happen. No way around it I see.
He doesn't now, using PAM with both smb and local password authentication.
If he does not know he needs his brain checked out.
Machines using smb auth don't have to join the domain - and it doesn't need any special support. For apache, mod_auth_pam works, but isn't a stock centos module. I think you are supposed to be able to use mod_auth_sasl with pam these days but I haven't tried to convert yet.
I don't want anonymous accounts. I just want to be able to add some that are unrelated to AD, but I'd prefer to not have to add them to every machine.
The bad part is adding them to every machine and I would be against that.
So far an occasional 'addusr somebody; passwd somebody' has been easier than setting up a network database that I can trust.
I think PAM with smb and ldap would sort-of work but it still doesn't seem like the right approach and so far it has been easier to manage a small number of exceptions on a small number of separate machines. I thought there were LDAP servers that could proxy for multiple other servers where some of those might be AD's.
I guess the optimal thing to do is figure out every way all apps can authenticate and go from there.
I think that's near infinite - especially if you try to set something up for future use.
OR get a machine with hardware that can handle all the runnng apps and auth at the machine level. I'm just thinking in terms of a Blade Server. Just a side note I know you can proxy SOAP requests but not sure on ldap.
So far there aren't that many machines or users that need exceptions from what smb_auth provides - but I'd probably try to migrate more stuff currently on windows boxes if everything was seamless.
-- Les Mikesell lesmikesell@gmail.com
-
JohnS -
Les Mikesell -
Paul Johnson -
Ross Walker -
Scott McClanahan