[CentOS] authentication loosely tied to active directory?

JohnS jses27 at gmail.com
Tue Jun 16 20:16:34 UTC 2009 

On Tue, 2009-06-16 at 14:40 -0500, Les Mikesell wrote:
> JohnS wrote:
> > 
> >> What I'm looking for is a network service that will work across apache 
> >> and java web services (without requiring a login account) that 
> >> transparently merges AD accounts with others that I can control 
> >> separately, and also to be able to use those same logins and passwords 
> >> for linux system logins where accounts are specifically created. That 
> >> is, all AD & linux accounts should work for web services and Linux 
> >> account logins should be able to use AD passwords where they exist.
> >>
> >> I'd think this would be a fairly common situation where the bulk of 
> >> company operations are on desktops controlled by AD but there are some 
> >> developers using Linux and some infrastructure resources using it 
> >> (subversion, wikis and other web services, etc.) and some users that 
> >> don't map to employees.
> >>
> > ---
> > Web Services via SOAP can be your "Middle Ware" (man in the middle) to
> > authentication here.
> 
> I thought that was what PAM was for.  I just don't know how to glue it 
> into someone else's java web app (like OpenNMS or Pentaho's server).

True PAM can probally work for some. It seems opennms does not support
PAM? Then my guess is that is where Apache Axis and SOAP or a SOAP Proxy
come in.

http://www.opennms.org/index.php/Active_Directory_Integration
I know you can do that. Not sure on the local account side. Pentaho's
looks to much like a Lockin App for anything. Not familiar with it
either.

> > Your AD admin is going to have to help out in some
> > way for this to happen. No way around it I see.
> 
> He doesn't now, using PAM with both  smb and local password authentication.
> 
If he does not know he needs his brain checked out.

> I don't want anonymous accounts.  I just want to be able to add some 
> that are unrelated to AD, but I'd prefer to not have to add them to 
> every machine.

The bad part is adding them to every machine and I would be against
that.

> I think PAM with smb and ldap would sort-of work but it still doesn't 
> seem like the right approach and so far it has been easier to manage a 
> small number of exceptions on a small number of separate machines.  I 
> thought there were LDAP servers that could proxy for multiple other 
> servers where some of those might be AD's.

I guess the optimal thing to do is figure out every way all apps 
can authenticate and go from there. OR get a machine with hardware
that can handle all the runnng apps and auth at the machine level.
I'm just thinking in terms of a Blade Server. Just a side note I know
you can proxy SOAP requests but not sure on ldap.

john

More information about the CentOS mailing list