On 3/29/2011 2:27 PM, Ray Van Dolson wrote:
>
>>> That said, if you have a variety of platforms and OS'es to support,
>>> Likewise is a great option... (never tried Centrify)
>>
>> Do either/both of these let you add accounts for the Linux side that
>> don't propagate back to AD? I'd like something to use in a lab so
>> existing users/passwords didn't take extra work but we could still add
>> accounts that don't exist (and we don't want) in AD. Easy hooks for
>> apache and java web services to see the combined accounts would be a big
>> plus.
>
> My understanding is you'd have to rely on local accounts or a second
> centralized authentication source (probably done via NSS not via
> Likewise directly).
>
> Maybe allowing the accounts to float back to AD but somehow restricting
> them for Unix login use only...
>
> (We have a long-standing project to migrate off NIS to AD-only --
> preserving UID's/GID's and defining the sort of access requirements you
> describe is a bit of a challenge).
I thought I had seen tools that can proxy LDAP services to multiple
backends, with one of them being AD but at the time it seemed too
complicated so I set up pam_smb and mod_auth_pam in apache (and set up
apache to not require account info). That lets me add local accounts to
a machine for the people who either need login-type services or aren't
in AD and still accept passwords that are in AD. But, it has to be
repeated per machine and I don't have java web services working with it.
What I'd like to have is an LDAP server or even a separate AD server
to manage extra users and then a proxy service that combines the logins
from both sources for any number of clients. Basically I want to trust
both authentication sources, but not add mine to the main AD or have it
trust mine, and I want it in a way that apache, java, etc. already
understand, besides being usable for login service.
--
Les Mikesell
lesmikesell at gmail.com