JohnS wrote: > >>> Web Services via SOAP can be your "Middle Ware" (man in the middle) to >>> authentication here. >> I thought that was what PAM was for. I just don't know how to glue it >> into someone else's java web app (like OpenNMS or Pentaho's server). > > True PAM can probally work for some. It seems opennms does not support > PAM? Then my guess is that is where Apache Axis and SOAP or a SOAP Proxy > come in. > > http://www.opennms.org/index.php/Active_Directory_Integration > I know you can do that. Not sure on the local account side. That's the problem - PAM stacks methods nicely. Most other things can use multiples too, but you have to configure each app in weird ways to do it. That's why I think configuring PAM and apps that don't use PAM to use LDAP would be the cleanest approach, then configure the LDAP server side to merge the accounts I want - or make it look that way by proxying. > Pentaho's > looks to much like a Lockin App for anything. Not familiar with it > either. It's really tomcat under the covers on the server side (so probably acecgi like opennms). The code is all available in the community edition - but it is enough of a monster that you probably would need the support if you needed to do more than a few reports, which is all I'm doing so far. It's probably overkill but I really hate doing report layout work manually and it has a nice interactive design tool that publishes the runtime to the web server where it can generate html, pdf, or a spreadsheet download. >>> Your AD admin is going to have to help out in some >>> way for this to happen. No way around it I see. >> He doesn't now, using PAM with both smb and local password authentication. >> > If he does not know he needs his brain checked out. Machines using smb auth don't have to join the domain - and it doesn't need any special support. For apache, mod_auth_pam works, but isn't a stock centos module. I think you are supposed to be able to use mod_auth_sasl with pam these days but I haven't tried to convert yet. >> I don't want anonymous accounts. I just want to be able to add some >> that are unrelated to AD, but I'd prefer to not have to add them to >> every machine. > > The bad part is adding them to every machine and I would be against > that. So far an occasional 'addusr somebody; passwd somebody' has been easier than setting up a network database that I can trust. >> I think PAM with smb and ldap would sort-of work but it still doesn't >> seem like the right approach and so far it has been easier to manage a >> small number of exceptions on a small number of separate machines. I >> thought there were LDAP servers that could proxy for multiple other >> servers where some of those might be AD's. > > I guess the optimal thing to do is figure out every way all apps > can authenticate and go from there. I think that's near infinite - especially if you try to set something up for future use. > OR get a machine with hardware > that can handle all the runnng apps and auth at the machine level. > I'm just thinking in terms of a Blade Server. Just a side note I know > you can proxy SOAP requests but not sure on ldap. So far there aren't that many machines or users that need exceptions from what smb_auth provides - but I'd probably try to migrate more stuff currently on windows boxes if everything was seamless. -- Les Mikesell lesmikesell at gmail.com