[CentOS] authentication loosely tied to active directory?

Tue Jun 16 21:25:04 UTC 2009
Les Mikesell <lesmikesell at gmail.com>

JohnS wrote:
> 
>>> Web Services via SOAP can be your "Middle Ware" (man in the middle) to
>>> authentication here.
>> I thought that was what PAM was for.  I just don't know how to glue it 
>> into someone else's java web app (like OpenNMS or Pentaho's server).
> 
> True PAM can probally work for some. It seems opennms does not support
> PAM? Then my guess is that is where Apache Axis and SOAP or a SOAP Proxy
> come in.
> 
> http://www.opennms.org/index.php/Active_Directory_Integration
> I know you can do that. Not sure on the local account side.

That's the problem - PAM stacks methods nicely.  Most other things can 
use multiples too, but you have to configure each app in weird ways to 
do it.  That's why I think configuring PAM and apps that don't use PAM 
to use LDAP would be the cleanest approach, then configure the LDAP 
server side to merge the accounts I want - or make it look that way by 
proxying.

> Pentaho's
> looks to much like a Lockin App for anything. Not familiar with it
> either.

It's really tomcat under the covers on the server side (so probably 
acecgi like opennms).  The code is all available in the community 
edition - but it is enough of a monster that you probably would need the 
support if you needed to do more than a few reports, which is all I'm 
doing so far.  It's probably overkill but I really hate doing report 
layout work manually and it has a nice interactive design tool that 
publishes the runtime to the web server where it can generate html, pdf, 
or a spreadsheet download.

>>> Your AD admin is going to have to help out in some
>>> way for this to happen. No way around it I see.
>> He doesn't now, using PAM with both  smb and local password authentication.
>>
> If he does not know he needs his brain checked out.

Machines using smb auth don't have to join the domain - and it doesn't 
need any special support.  For apache, mod_auth_pam works, but isn't a 
stock centos module.  I think you are supposed to be able to use 
mod_auth_sasl with pam these days but I haven't tried to convert yet.

>> I don't want anonymous accounts.  I just want to be able to add some 
>> that are unrelated to AD, but I'd prefer to not have to add them to 
>> every machine.
> 
> The bad part is adding them to every machine and I would be against
> that.

So far an occasional 'addusr somebody; passwd somebody' has been easier 
than setting up a network database that I can trust.

>> I think PAM with smb and ldap would sort-of work but it still doesn't 
>> seem like the right approach and so far it has been easier to manage a 
>> small number of exceptions on a small number of separate machines.  I 
>> thought there were LDAP servers that could proxy for multiple other 
>> servers where some of those might be AD's.
> 
> I guess the optimal thing to do is figure out every way all apps 
> can authenticate and go from there.

I think that's near infinite - especially if you try to set something up 
for future use.

> OR get a machine with hardware
> that can handle all the runnng apps and auth at the machine level.
> I'm just thinking in terms of a Blade Server. Just a side note I know
> you can proxy SOAP requests but not sure on ldap.

So far there aren't that many machines or users that need exceptions 
from what smb_auth provides - but I'd probably try to migrate more stuff 
currently on windows boxes if everything was seamless.

--
    Les Mikesell
      lesmikesell at gmail.com