[CentOS] authentication loosely tied to active directory?

Tue Jun 16 16:43:49 UTC 2009
Les Mikesell <lesmikesell at gmail.com>

JohnS wrote:
> On Mon, 2009-06-15 at 22:30 -0500, Paul Johnson wrote:
>> On Fri, Jun 5, 2009 at 5:29 PM, Ross Walker<rswwalker at gmail.com> wrote:
>>> On Jun 5, 2009, at 1:00 PM, Les Mikesell <lesmikesell at gmail.com> wrote:
>>>
>>>> What's the best authentication scheme when you are dealing with an
>>>> active directory that someone else controls?  I've been using pam
>>>> configured for smb and local passwords where a local account is needed
>>>> for real logins (but either the domain or local password will work)
>>>> and
>>>> web services don't require a local account. That's most of the
>>>> functionality I want and it doesn't take pre-arrangement with the AD
>>>> administrator, but I have to glue mod_auth_pam into httpd and I'm not
>>>> sure how to duplicate it for java web services.
> 
> If this is java web services your having the problem with you can also
> use kerberos with SOAP/XML/RPC. But the catch is only 128Bit Encryption.

Don't forget that I want it to honor system accounts too - or at least 
some that aren't in AD.

> Another option maybe LDAP under Apache.

What I'm looking for is a network service that will work across apache 
and java web services (without requiring a login account) that 
transparently merges AD accounts with others that I can control 
separately, and also to be able to use those same logins and passwords 
for linux system logins where accounts are specifically created. That 
is, all AD & linux accounts should work for web services and Linux 
account logins should be able to use AD passwords where they exist.

I'd think this would be a fairly common situation where the bulk of 
company operations are on desktops controlled by AD but there are some 
developers using Linux and some infrastructure resources using it 
(subversion, wikis and other web services, etc.) and some users that 
don't map to employees.

-- 
   Les Mikesell
    lesmikesell at gmail.com