* [gentoo-server] Active Directory integration
@ 2006-09-01 15:00 Brian Kroth
2006-09-03 3:08 ` Michael Crute
0 siblings, 1 reply; 4+ messages in thread
From: Brian Kroth @ 2006-09-01 15:00 UTC (permalink / raw
To: gentoo-server
I've recently begun administrating a site that has about 20 Linux
servers of various flavors, another 25 Windows 2003 servers, and soon 15
Apple Xserves. Previously no real policies of any sort existed, so I've
been trying to consolidate servers and users and what not. On the
Windows side this was fairly easily accomplished via Active Directory.
I've begun setting up our new Apple XRaid and it's cluster nodes. While
doing this I noticed that it has some built in support for Active
Directory authentication, which got me to thinking whether I could also
integrate all the Linux servers into this scheme.
Basically I would like to use Active Directory to manage users, groups,
and passwords. Then have the Linux servers hit up against this using
LDAP to translate the uid and gids for some ssh access, filesystem
access via Samba and ftp, a few email accounts for use with
postfix/dovecot, web authentication, etc. I would also like to make
sure I can change passwords on the Linux side.
My limited understanding says that this is similar to an OpenLDAP setup
through pam/nss with the further modification of remapping some
attributes to Active Directory ones (or altering the AD schema, which
seems unnecessary to me). Oh, and then there's Kerberos to deal with,
which I need to do some more research on.
I would like to know if there's anyone out there who's tried to or
successfully accomplished this and whether it's any better or worse than
setting up a separate OpenLDAP server. I'd prefer to keep it in one
directory, but also don't want to cause myself any unnecessary headaches.
Thanks for your input,
Brian
--
gentoo-server@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [gentoo-server] Active Directory integration
@ 2006-09-01 16:50 Longman, Bill
2006-09-03 18:45 ` Kyle Lutze
0 siblings, 1 reply; 4+ messages in thread
From: Longman, Bill @ 2006-09-01 16:50 UTC (permalink / raw
To: 'gentoo-server@lists.gentoo.org'
> I've recently begun administrating a site that has about 20 Linux
> servers of various flavors, another 25 Windows 2003 servers,
> and soon 15
> Apple Xserves. Previously no real policies of any sort
> existed, so I've
> been trying to consolidate servers and users and what not. On the
> Windows side this was fairly easily accomplished via Active
> Directory.
> I've begun setting up our new Apple XRaid and it's cluster
> nodes. While
> doing this I noticed that it has some built in support for Active
> Directory authentication, which got me to thinking whether I
> could also
> integrate all the Linux servers into this scheme.
>
> Basically I would like to use Active Directory to manage
> users, groups,
> and passwords. Then have the Linux servers hit up against this using
> LDAP to translate the uid and gids for some ssh access, filesystem
> access via Samba and ftp, a few email accounts for use with
> postfix/dovecot, web authentication, etc. I would also like to make
> sure I can change passwords on the Linux side.
>
> My limited understanding says that this is similar to an
> OpenLDAP setup
> through pam/nss with the further modification of remapping some
> attributes to Active Directory ones (or altering the AD schema, which
> seems unnecessary to me). Oh, and then there's Kerberos to
> deal with,
> which I need to do some more research on.
>
> I would like to know if there's anyone out there who's tried to or
> successfully accomplished this and whether it's any better or
> worse than
> setting up a separate OpenLDAP server. I'd prefer to keep it in one
> directory, but also don't want to cause myself any
> unnecessary headaches.
I've looked into this same thing, Brian. I have one XServe, and lots of the
other servers - Win2k3, Win2k, Linux, Solaris. One of the things that you
might consider is looking at Windows Services for Unix. You can then put the
UID/GID info in AD.
You should look at winbind, ldap, ldapsam and kerberos USE flags. Prolly
pam, too.
Bill
--
gentoo-server@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-server] Active Directory integration
2006-09-01 15:00 [gentoo-server] Active Directory integration Brian Kroth
@ 2006-09-03 3:08 ` Michael Crute
0 siblings, 0 replies; 4+ messages in thread
From: Michael Crute @ 2006-09-03 3:08 UTC (permalink / raw
To: gentoo-server
On 9/1/06, Brian Kroth <bpkroth@wisc.edu> wrote:
> I've recently begun administrating a site that has about 20 Linux
> servers of various flavors, another 25 Windows 2003 servers, and soon 15
> Apple Xserves. Previously no real policies of any sort existed, so I've
> been trying to consolidate servers and users and what not. On the
> Windows side this was fairly easily accomplished via Active Directory.
> I've begun setting up our new Apple XRaid and it's cluster nodes. While
> doing this I noticed that it has some built in support for Active
> Directory authentication, which got me to thinking whether I could also
> integrate all the Linux servers into this scheme.
>
> Basically I would like to use Active Directory to manage users, groups,
> and passwords. Then have the Linux servers hit up against this using
> LDAP to translate the uid and gids for some ssh access, filesystem
> access via Samba and ftp, a few email accounts for use with
> postfix/dovecot, web authentication, etc. I would also like to make
> sure I can change passwords on the Linux side.
>
> My limited understanding says that this is similar to an OpenLDAP setup
> through pam/nss with the further modification of remapping some
> attributes to Active Directory ones (or altering the AD schema, which
> seems unnecessary to me). Oh, and then there's Kerberos to deal with,
> which I need to do some more research on.
>
> I would like to know if there's anyone out there who's tried to or
> successfully accomplished this and whether it's any better or worse than
> setting up a separate OpenLDAP server. I'd prefer to keep it in one
> directory, but also don't want to cause myself any unnecessary headaches.
I would look at Samba's winbind for this. I know people who have had
great success with this approach and it is far less intense than what
you are suggesting.
-Mike
--
________________________________
Michael E. Crute
http://mike.crute.org
I may not have gone where I intended to go, but I think I have ended
up where I intended to be. --Douglas Adams
--
gentoo-server@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-server] Active Directory integration
2006-09-01 16:50 Longman, Bill
@ 2006-09-03 18:45 ` Kyle Lutze
0 siblings, 0 replies; 4+ messages in thread
From: Kyle Lutze @ 2006-09-03 18:45 UTC (permalink / raw
To: gentoo-server
Longman, Bill wrote:
>> I've recently begun administrating a site that has about 20 Linux
>> servers of various flavors, another 25 Windows 2003 servers,
>> and soon 15
>> Apple Xserves. Previously no real policies of any sort
>> existed, so I've
>> been trying to consolidate servers and users and what not. On the
>> Windows side this was fairly easily accomplished via Active
>> Directory.
>> I've begun setting up our new Apple XRaid and it's cluster
>> nodes. While
>> doing this I noticed that it has some built in support for Active
>> Directory authentication, which got me to thinking whether I
>> could also
>> integrate all the Linux servers into this scheme.
>>
>> Basically I would like to use Active Directory to manage
>> users, groups,
>> and passwords. Then have the Linux servers hit up against this using
>> LDAP to translate the uid and gids for some ssh access, filesystem
>> access via Samba and ftp, a few email accounts for use with
>> postfix/dovecot, web authentication, etc. I would also like to make
>> sure I can change passwords on the Linux side.
>>
>> My limited understanding says that this is similar to an
>> OpenLDAP setup
>> through pam/nss with the further modification of remapping some
>> attributes to Active Directory ones (or altering the AD schema, which
>> seems unnecessary to me). Oh, and then there's Kerberos to
>> deal with,
>> which I need to do some more research on.
>>
>> I would like to know if there's anyone out there who's tried to or
>> successfully accomplished this and whether it's any better or
>> worse than
>> setting up a separate OpenLDAP server. I'd prefer to keep it in one
>> directory, but also don't want to cause myself any
>> unnecessary headaches.
>
> I've looked into this same thing, Brian. I have one XServe, and lots of the
> other servers - Win2k3, Win2k, Linux, Solaris. One of the things that you
> might consider is looking at Windows Services for Unix. You can then put the
> UID/GID info in AD.
>
> You should look at winbind, ldap, ldapsam and kerberos USE flags. Prolly
> pam, too.
>
> Bill
I would agree on all of those except for kerberos. If you want to know
why there's plenty of articles on the web that will help you realize why
it's bad. ldap and windbind are my first two choices
Kyle
--
gentoo-server@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2006-09-03 18:48 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-01 15:00 [gentoo-server] Active Directory integration Brian Kroth
2006-09-03 3:08 ` Michael Crute
-- strict thread matches above, loose matches on Subject: below --
2006-09-01 16:50 Longman, Bill
2006-09-03 18:45 ` Kyle Lutze
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox