On Fri, Jun 5, 2009 at 5:29 PM, Ross Walker<rswwalker at gmail.com> wrote: > On Jun 5, 2009, at 1:00 PM, Les Mikesell <lesmikesell at gmail.com> wrote: > >> What's the best authentication scheme when you are dealing with an >> active directory that someone else controls? I've been using pam >> configured for smb and local passwords where a local account is needed >> for real logins (but either the domain or local password will work) >> and >> web services don't require a local account. That's most of the >> functionality I want and it doesn't take pre-arrangement with the AD >> administrator, but I have to glue mod_auth_pam into httpd and I'm not >> sure how to duplicate it for java web services. >> >> Is there a way to use an LDAP proxy in a similar way so I can add >> accounts of my own but also accept anything from one or more AD's? Or >> some better approach entirely? > > We use winbind with rid mapping for user/group ids and kerberos for > authentication where I am and it works well and provides SSO for the > whole windows domain, even LDAP which we use as an address book. > > You can map ranges of user/group ids to particular domains and it > doesn't require any local accounts or manual setting of user ids. > > You can map those winbind accounts to unix groups globally through NIS. > > If your network is large setup a couple of rid mapping servers with > winbind that then re-export those maps through NIS to keep things > consistent. Just make sure your NIS make maps uses getent and winbind > is set to enumerate user/groups. Make sure no passwords are in there, > only kerberos accounts. > > -Ross > Hey, Ross: How do you do this without cooperation from the administrator of the AD servers? I can't make any progress at all as long as the administrators tell me to go to hell. pam_smb is the only way I can make this work without administrator intervention -- Paul E. Johnson Professor, Political Science 1541 Lilac Lane, Room 504 University of Kansas