LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-14-2008, 09:42 AM   #1
humbletech99
Member
 
Registered: Jun 2005
Posts: 374

Rep: Reputation: 30
Does anyone here authenticate against Active Directory?


Hi,

I'd like to know if anyone here authenticates their servers against active directory? I did this a couple of years ago, but never rolled it out to my servers for a few reasons.

Now I'm thinking of this again, but the main thing I'd really like to know is how stable and maintainable this is across lots of servers and through upgrades. I've noticed that when there are upgrades, occasionally pam files are changed/upgraded. Since this generally relies on you fiddling the pam stacks I figure that sooner or later this brittle solution will snap in an upgrade, locking people out of the server.

I suspect that the main problem is that most people do not change pams and therefore there is included user-defined stack that is kept referenced through rolling upgrades...

Does anyone have an experience with how stable it is to authenicate lots of servers against AD for single-sign-on?
 
Old 04-15-2008, 10:22 AM   #2
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
You don't need active directory to do that. look into OpenLDAP. http://www.openldap.org/

you can configure multiple systems to look to the LDAP servers for authentication and not have to worry about using a Windows server that is a AD domain controller.
 
Old 04-24-2008, 02:56 PM   #3
humbletech99
Member
 
Registered: Jun 2005
Posts: 374

Original Poster
Rep: Reputation: 30
yes of course you can authenticate to openldap, but the question was regarding active directory specifically because this gives you single sign on between windows and linux, there's no point in having 2 different systems to maintain the same user accounts on each, it just doubles the workload...
 
Old 04-24-2008, 03:15 PM   #4
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,767

Rep: Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613
I did here a few years ago, and it seemed ok, but we went the LDAP route instead.

Check out these links, they may help you:

http://ubuntuforums.org/showthread.php?t=91510
http://developer.novell.com/wiki/ind...Authentication

Personally, I think LDAP is a bit friendlier to administer, and has a greater set of tools. It's also supported by alot of different things, so you're not tied in to one platform, but I know sometimes you just get forced down another path.
 
Old 04-24-2008, 03:49 PM   #5
ValekFromDI
LQ Newbie
 
Registered: Apr 2008
Posts: 3

Rep: Reputation: 0
The thing of the thing is that there are a lot of us out here that have massive MS installs. And we'd like to bring Linux into the picture, but we can't start out by replacing everything. It just isn't practical.

Right now I'm working on deploying our first production Linux server and I need to be able to evaluate print permissions based on AD group membership. That's my current dilema and it is keeping Linux out of our business. This is the pervasive problem that is keeping Linux out of a lot of businesses.

If it's an all or nothing situation, it will almost always end up being nothing.

I'm making progress on my project, but it has definitely been an uphill battle. I know it can work, and I will make it work. But please don't ask people to completely dump the infrastructure that they have so that they can use Linux, becuase from a VP or Manager standpoint the answer will probably be "I guess we don't need Linux after all."


(sorry if I got preachy there, but I've heard this stuff from managers and VP's for about 5 years now)
 
Old 04-25-2008, 03:22 AM   #6
humbletech99
Member
 
Registered: Jun 2005
Posts: 374

Original Poster
Rep: Reputation: 30
it can be done, it's just very inconvenient and may be more trouble than it's worth unless you're very skilled and experienced in linux. Getting it to work is the easy part, keeping it working through upgrades is harder (depending on distro), which is why I ask...

I got this working more than 2 years ago but it felt brittle so I didn't roll it out to all my linux servers.
 
Old 04-25-2008, 10:49 AM   #7
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
windows services for unix (SFU) 3.5 might be able to help with the ad integration.

Also AD supports ldap queries so you could just set up the system to auth to ldap and use AD. But as far as single sign-on if you are talking about just using one account on both windows and unix then thats fine. But the "microsoft single sign-on" wont work because it uses NTLMSSP (NT Lan Manager Security Support Provider) and that works for all mapped drive, proxy, etc.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SQUID Authenticate from Windows Active Directory mhm Linux - Server 0 04-05-2008 09:38 AM
Cannot configure Linux to authenticate against Active Directory Cyberitas Linux - Enterprise 4 11-01-2007 11:56 AM
Can opensuse.1 authenticate active directory just like SLED10? kstan Suse/Novell 4 10-10-2006 07:25 PM
apache authenticate to Active Directory zuessh Linux - Software 1 07-08-2005 03:29 PM
Linux box Authenticate against Active Directory tulip4heaven Linux - Networking 2 05-31-2005 12:31 AM


All times are GMT -5. The time now is 09:27 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration