JohnS wrote: > On Mon, 2009-06-15 at 22:30 -0500, Paul Johnson wrote: >> On Fri, Jun 5, 2009 at 5:29 PM, Ross Walker<rswwalker at gmail.com> wrote: >>> On Jun 5, 2009, at 1:00 PM, Les Mikesell <lesmikesell at gmail.com> wrote: >>> >>>> What's the best authentication scheme when you are dealing with an >>>> active directory that someone else controls? I've been using pam >>>> configured for smb and local passwords where a local account is needed >>>> for real logins (but either the domain or local password will work) >>>> and >>>> web services don't require a local account. That's most of the >>>> functionality I want and it doesn't take pre-arrangement with the AD >>>> administrator, but I have to glue mod_auth_pam into httpd and I'm not >>>> sure how to duplicate it for java web services. > > If this is java web services your having the problem with you can also > use kerberos with SOAP/XML/RPC. But the catch is only 128Bit Encryption. Don't forget that I want it to honor system accounts too - or at least some that aren't in AD. > Another option maybe LDAP under Apache. What I'm looking for is a network service that will work across apache and java web services (without requiring a login account) that transparently merges AD accounts with others that I can control separately, and also to be able to use those same logins and passwords for linux system logins where accounts are specifically created. That is, all AD & linux accounts should work for web services and Linux account logins should be able to use AD passwords where they exist. I'd think this would be a fairly common situation where the bulk of company operations are on desktops controlled by AD but there are some developers using Linux and some infrastructure resources using it (subversion, wikis and other web services, etc.) and some users that don't map to employees. -- Les Mikesell lesmikesell at gmail.com