[CentOS] Re: Directory Server for CentOS 4.1

Thu Jun 30 21:42:07 UTC 2005
Bryan J. Smith <b.j.smith@ieee.org> <thebs413 at earthlink.net>

From: alex at milivojevic.org
> I'm abusing the fact that all users have accounts on one of AD domains.

Ahhh, so let me get this straight ...
Your users are virtual, yet they have real accounts in ADS?
Is this just for LAN?  Or are you an ISP/ASP?

> The "Unix" services are not aware of it.  They simply authenticate user
> against flat userspace on LDAP server, and the LDAP/saslauthd component
> is smart enough to contact appropriate AD domain.

Ahhh, a very interesting setup indeed.
Are you using ADS because the users are normally logging into Windows?
[ And this is a LAN setup, not an ISP/ASP? ]

> So, no I'm not using Kerberos as such, because in reallity the clients
> users have can't use it either (reason is simple, most Windows software
> don't talk neither Kerberos nor SASL - they are all username/password
> based with option to pass it over SSL/TLS).

Actually, that's not true.  You can replaced NT's GINA with pGINA
(pluggable GINA) and authenticate and setup your credentials against
various authentication/directory services.

Unless, of course, you are using software that absolutely requires
ADS.

> I'm simply abusing the fact I can authenticate against AD domain
> using Kerberos as protocol.

Correct.  Again, I'm curious if this is because you already use ADS
for other purposes?  Or someone decided that ADS was "easier"
to support?

> So the question is.  If I have user-a and user-b, where user-a exists
> as principal user-1 at domain-1, and user-b exists as principal user-2
> @domain-2, can I have FDS authenticate the user against appropriate
> domain if passed only the "id=user-a,dc=mydomain,dc=com" or
> "id=user-b,dc=mydomain,dc=com"?  No SASL, no Kerberos mumbo-
> jumbo all the way from the user's client software to LDAP server
> (what happens between LDAP server onwards can be anything, as
> long as it works).

It seems so based on the page I sent you.  Although I think you
might have to change your string slightly.

The docs explicitly stated that 1 server _can_ authenticate against
_multiple_ realms.  I don't see how your setup is different, except
for using the MS-Kerberos protocol which has been integrated into
newer Kerberos client implementations.



--
Bryan J. Smith   mailto:b.j.smith at ieee.org