Paul Johnson wrote: > On Fri, Jun 5, 2009 at 5:29 PM, Ross Walker<rswwalker at gmail.com> wrote: >> On Jun 5, 2009, at 1:00 PM, Les Mikesell <lesmikesell at gmail.com> wrote: >> >>> What's the best authentication scheme when you are dealing with an >>> active directory that someone else controls? I've been using pam >>> configured for smb and local passwords where a local account is needed >>> for real logins (but either the domain or local password will work) >>> and >>> web services don't require a local account. That's most of the >>> functionality I want and it doesn't take pre-arrangement with the AD >>> administrator, but I have to glue mod_auth_pam into httpd and I'm not >>> sure how to duplicate it for java web services. >>> >>> Is there a way to use an LDAP proxy in a similar way so I can add >>> accounts of my own but also accept anything from one or more AD's? Or >>> some better approach entirely? >> We use winbind with rid mapping for user/group ids and kerberos for >> authentication where I am and it works well and provides SSO for the >> whole windows domain, even LDAP which we use as an address book. >> >> You can map ranges of user/group ids to particular domains and it >> doesn't require any local accounts or manual setting of user ids. >> >> You can map those winbind accounts to unix groups globally through NIS. >> >> If your network is large setup a couple of rid mapping servers with >> winbind that then re-export those maps through NIS to keep things >> consistent. Just make sure your NIS make maps uses getent and winbind >> is set to enumerate user/groups. Make sure no passwords are in there, >> only kerberos accounts. >> >> -Ross >> > > > Hey, Ross: > > How do you do this without cooperation from the administrator of the > AD servers? I can't make any progress at all as long as the > administrators tell me to go to hell. pam_smb is the only way I can > make this work without administrator intervention Same here - which is why I raised the question. Although I probably could get permission to join the domain I want to be able to add users on the Linux side that don't exist in AD. Pam_smb works but I think something that used LDAP would be better if the ldap server could have local entries and proxy for the AD. -- Les Mikesell lesmikesell at gmail.com