[CentOS] authentication loosely tied to active directory?

Tue Jun 16 19:40:39 UTC 2009
Les Mikesell <lesmikesell at gmail.com>

JohnS wrote:
> 
>> What I'm looking for is a network service that will work across apache 
>> and java web services (without requiring a login account) that 
>> transparently merges AD accounts with others that I can control 
>> separately, and also to be able to use those same logins and passwords 
>> for linux system logins where accounts are specifically created. That 
>> is, all AD & linux accounts should work for web services and Linux 
>> account logins should be able to use AD passwords where they exist.
>>
>> I'd think this would be a fairly common situation where the bulk of 
>> company operations are on desktops controlled by AD but there are some 
>> developers using Linux and some infrastructure resources using it 
>> (subversion, wikis and other web services, etc.) and some users that 
>> don't map to employees.
>>
> ---
> Web Services via SOAP can be your "Middle Ware" (man in the middle) to
> authentication here.

I thought that was what PAM was for.  I just don't know how to glue it 
into someone else's java web app (like OpenNMS or Pentaho's server).

> Your AD admin is going to have to help out in some
> way for this to happen. No way around it I see.

He doesn't now, using PAM with both  smb and local password authentication.

> Anonymous accounts can
> be mapped to the the appropiate AD account (IWAM_User - depends on
> service app). Firefox can use the LDAP Plugin, Apache auth can be mapped
> to LDAP on AD. Once an AD account is locked out he will know anyway.

I don't want anonymous accounts.  I just want to be able to add some 
that are unrelated to AD, but I'd prefer to not have to add them to 
every machine.

> Maybe check out MS Web Services Interface and WSDL for AD. It is just
> something to really sit down and think about authentication between
> mixed node systems. Can it be done? Yes. One other solution here
> Enterprise wide would be Citrix.

I think PAM with smb and ldap would sort-of work but it still doesn't 
seem like the right approach and so far it has been easier to manage a 
small number of exceptions on a small number of separate machines.  I 
thought there were LDAP servers that could proxy for multiple other 
servers where some of those might be AD's.

-- 
   Les Mikesell
    lesmikesell at gmail.com