[gentoo-server] Active Directory Based Authentication?

[gentoo-server] Active Directory Based Authentication?

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 300 bytes --]

Hello list,

I just want to know, what is your recommendation(s) to implement Active
Directory authentication on Gentoo?

I want to use AD not only for logins, but also for running daemons/services.

*Ideally*, it would also allow me to manage my boxen using GPO, but I can
live without that.

Rgds,

[-- Attachment #2: Type: text/html, Size: 336 bytes --]

Re: [gentoo-server] Active Directory Based Authentication?

[Matthew Thode]

[-- Attachment #1: Type: text/plain, Size: 574 bytes --]

On 05/10/2012 10:36 PM, Pandu Poluan wrote:
> Hello list,
> 
> I just want to know, what is your recommendation(s) to implement Active
> Directory authentication on Gentoo?
> 
> I want to use AD not only for logins, but also for running daemons/services.
> 
> *Ideally*, it would also allow me to manage my boxen using GPO, but I can
> live without that.
> 
> Rgds,
> 
Not trying to be rude or anything, but it's easier then providing
multiple links.

http://lmgtfy.com/?q=active+directory+authentication+linux


-- 
-- Matthew Thode (prometheanfire)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 900 bytes --]

Re: [gentoo-server] Active Directory Based Authentication?

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 742 bytes --]

On May 11, 2012 9:16 PM, "Matthew Thode" <prometheanfire@gentoo.org> wrote:
>
> On 05/10/2012 10:36 PM, Pandu Poluan wrote:
> > Hello list,
> >
> > I just want to know, what is your recommendation(s) to implement Active
> > Directory authentication on Gentoo?
> >
> > I want to use AD not only for logins, but also for running
daemons/services.
> >
> > *Ideally*, it would also allow me to manage my boxen using GPO, but I
can
> > live without that.
> >
> > Rgds,
> >
> Not trying to be rude or anything, but it's easier then providing
> multiple links.
>
> http://lmgtfy.com/?q=active+directory+authentication+linux
>
>

I *already* Googled for answers. I got lots of _alternatives_ but not
enough _experience-based_recommendations_.

Rgds,

[-- Attachment #2: Type: text/html, Size: 1089 bytes --]

Re: [gentoo-server] Active Directory Based Authentication?

[Brian Kroth]

[-- Attachment #1: Type: text/plain, Size: 1292 bytes --]

Pandu Poluan <pandu@poluan.info> 2012-05-11 10:36:
>   Hello list,
>
>   I just want to know, what is your recommendation(s) to implement Active
>   Directory authentication on Gentoo?

Attribute data can be stored/retrieved in ldaps (as in AD usually only 
allows authenticated binds to retrieve data and it requires an ssl 
connection to do that, other than that it's really just ldap).

Authentication can be done either via ldaps or kerberos, though I 
personally find the later to be extra complication that's usually 
unnecessary.

As someone else mentioned, there's a wealth of data out there on how to 
do this in any number of schemes (eg: libnss-ldap, libpam-ldap, sssd, 
etc.).

>   I want to use AD not only for logins, but also for running
>   daemons/services.

I don't see the distinction.  Either way it seems you're concerned with 
authenticating users and doing attribute lookups on them.

>   *Ideally*, it would also allow me to manage my boxen using GPO, but I can
>   live without that.

I'm not personally aware of anything that does that.  If there is, it's 
probably something like redhat/suse specific.

However, I believe it is possible to use a samba4 host as a domain 
controller to serve GPs to windows clients.

Cheers,
Brian

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-server] Active Directory Based Authentication?

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 1557 bytes --]

On May 11, 2012 9:30 PM, "Brian Kroth" <bpkroth@gmail.com> wrote:
>
> Pandu Poluan <pandu@poluan.info> 2012-05-11 10:36:
>
>>  Hello list,
>>
>>  I just want to know, what is your recommendation(s) to implement Active
>>  Directory authentication on Gentoo?
>
>
> Attribute data can be stored/retrieved in ldaps (as in AD usually only
allows authenticated binds to retrieve data and it requires an ssl
connection to do that, other than that it's really just ldap).
>
> Authentication can be done either via ldaps or kerberos, though I
personally find the later to be extra complication that's usually
unnecessary.
>
> As someone else mentioned, there's a wealth of data out there on how to
do this in any number of schemes (eg: libnss-ldap, libpam-ldap, sssd, etc.).
>
>
>>  I want to use AD not only for logins, but also for running
>>  daemons/services.
>
>
> I don't see the distinction.  Either way it seems you're concerned with
authenticating users and doing attribute lookups on them.
>
>
>>  *Ideally*, it would also allow me to manage my boxen using GPO, but I
can
>>  live without that.
>
>
> I'm not personally aware of anything that does that.  If there is, it's
probably something like redhat/suse specific.
>
> However, I believe it is possible to use a samba4 host as a domain
controller to serve GPs to windows clients.
>

PowerBroker (née Likewise) claims that it can manage Linux boxen via GPO...

... but in my case I think I'll just force my subordinates to learn puppet
*heh*heh*

Rgds,

[-- Attachment #2: Type: text/html, Size: 1965 bytes --]

Re: [gentoo-server] Active Directory Based Authentication?

[Vinícius Ferrão]

[-- Attachment #1: Type: text/plain, Size: 1016 bytes --]

Hello Pandu,

I have done a implementation using a daemon named sssd. It's sponsored by the Fedora Project if I remember correctly.

It supports 2008r2 AD without much hassle. I've setup everything relying on LDAP for information and Kerberos for authentication. So you don't need things like nss-ldap, nslcd, nscd and other old services. You can handle almost everything with SSSD. And even better: SSSD supports offline server authentication in the case of your AD is down or not reachable at the moment.

I can send you some links in the night (Brazilian night) when I will be at home.

Sent from my iPhone

On 11/05/2012, at 00:36, Pandu Poluan <pandu@poluan.info> wrote:

> Hello list,
> 
> I just want to know, what is your recommendation(s) to implement Active Directory authentication on Gentoo?
> 
> I want to use AD not only for logins, but also for running daemons/services.
> 
> *Ideally*, it would also allow me to manage my boxen using GPO, but I can live without that.
> 
> Rgds,

[-- Attachment #2: Type: text/html, Size: 1282 bytes --]

Re: [gentoo-server] Active Directory Based Authentication?

[Matthew Thode]

[-- Attachment #1: Type: text/plain, Size: 1261 bytes --]

On 05/11/2012 09:51 AM, Vinícius Ferrão wrote:
> Hello Pandu,
> 
> I have done a implementation using a daemon named sssd. It's sponsored by the Fedora Project if I remember correctly.
> 
> It supports 2008r2 AD without much hassle. I've setup everything relying on LDAP for information and Kerberos for authentication. So you don't need things like nss-ldap, nslcd, nscd and other old services. You can handle almost everything with SSSD. And even better: SSSD supports offline server authentication in the case of your AD is down or not reachable at the moment.
> 
> I can send you some links in the night (Brazilian night) when I will be at home.
> 
> Sent from my iPhone
> 
> On 11/05/2012, at 00:36, Pandu Poluan <pandu@poluan.info> wrote:
> 
>> Hello list,
>>
>> I just want to know, what is your recommendation(s) to implement Active Directory authentication on Gentoo?
>>
>> I want to use AD not only for logins, but also for running daemons/services.
>>
>> *Ideally*, it would also allow me to manage my boxen using GPO, but I can live without that.
>>
>> Rgds,
> 
I can attest to how awesome sssd is.  I use it for linux server to linux
client, but the concept is still the same.

-- 
-- Matthew Thode (prometheanfire)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 900 bytes --]

Re: [gentoo-server] Active Directory Based Authentication?

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 1597 bytes --]

On May 12, 2012 4:28 AM, "Matthew Thode" <prometheanfire@gentoo.org> wrote:
>
> On 05/11/2012 09:51 AM, Vinícius Ferrão wrote:
> > Hello Pandu,
> >
> > I have done a implementation using a daemon named sssd. It's sponsored
by the Fedora Project if I remember correctly.
> >
> > It supports 2008r2 AD without much hassle. I've setup everything
relying on LDAP for information and Kerberos for authentication. So you
don't need things like nss-ldap, nslcd, nscd and other old services. You
can handle almost everything with SSSD. And even better: SSSD supports
offline server authentication in the case of your AD is down or not
reachable at the moment.
> >
> > I can send you some links in the night (Brazilian night) when I will be
at home.
> >
> > Sent from my iPhone
> >
> > On 11/05/2012, at 00:36, Pandu Poluan <pandu@poluan.info> wrote:
> >
> >> Hello list,
> >>
> >> I just want to know, what is your recommendation(s) to implement
Active Directory authentication on Gentoo?
> >>
> >> I want to use AD not only for logins, but also for running
daemons/services.
> >>
> >> *Ideally*, it would also allow me to manage my boxen using GPO, but I
can live without that.
> >>
> >> Rgds,
> >
> I can attest to how awesome sssd is.  I use it for linux server to linux
> client, but the concept is still the same.
>

Ahaha, this is what I've been looking for: a recommendation backed by
experience ;-)

Thanks for the heads up, guys! Honestly, this is the first time I ever
heard of SSSD. Sounds very interesting... I'll certainly look into it.

Rgds,

[-- Attachment #2: Type: text/html, Size: 2035 bytes --]