LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Does the use of LDAP to communicate with Windows Active Directory require PAM? (https://www.linuxquestions.org/questions/linux-newbie-8/does-the-use-of-ldap-to-communicate-with-windows-active-directory-require-pam-812712/)

dpkavanaugh 06-07-2010 01:45 PM
Does the use of LDAP to communicate with Windows Active Directory require PAM?
 
I want to use LDAP on SUSE 10 to authorize the use of certain objects within IBM's MQ Series via the setmqaut command. I do not want to authenticate these users to the Linux server itself via LDAP. Users that actually log onto the Linux server will be authenticated through a product from Quest formly known as VAS. My question is, does LDAP require the use of PAM or can I utilize the facilities within LDAP to communicate with a Windows Active Directory so that I can authorize the use of MQ Series objects and not authenticate actual users that would log onto the server.

alunduil 06-07-2010 01:49 PM
Are you writing the authentication against LDAP on the Linux box or using something built into the script that needs to be controlled? You do need to use PAM with LDAP if you would authenticate any system service against the MS AD. Otherwise, it shouldn't be necessary but we would need more details about the configuration before we could say for sure.

Regards,

Alunduil

dpkavanaugh 06-08-2010 06:20 AM
LDAP and MQ SERIES
 
I'm not wanting to do AUTHENTICATION. IBM's MQ Series is messaging software. A user must have the AUTHORITY to open a queue manager, write a message to a queue, read a message from a queue, etc. The server piece of MQ Series resides on the Linux guest. When a message is sent to the server, MQ Series will check the user id within the message to ensure that the user id has the authority to do certain functions. That user id must exist and that is all MQ is concerned with. It does not care about the password, group id, user id, etc., just that the user id exists. Using MQ commands I have give MQ the information where that ID exist, in this case in a group house on Active Directory. Internally MQ is going to make a security call, whether it be local or to Active Directory via LDAP.

Therefore I want to use LDAP to validate the authority of a user id to be able to carry out certain MQ functions. This user id will NEVER log onto the physical server and be authenticated. Authentication of users who need to administer the physical server will be handled by third party software. I cannot use this third party software with MQ because of licensing problems.

alunduil 06-08-2010 08:10 AM
Then the answer is yes, you can perform LDAP queries against MS AD but changing some items on AD 2008 is a bit tricky if you would need to do that as well.

Regards,

Alunduil


All times are GMT -5. The time now is 05:13 PM.