| 1 |
On 9/1/06, Brian Kroth <bpkroth@××××.edu> wrote: |
| 2 |
> I've recently begun administrating a site that has about 20 Linux |
| 3 |
> servers of various flavors, another 25 Windows 2003 servers, and soon 15 |
| 4 |
> Apple Xserves. Previously no real policies of any sort existed, so I've |
| 5 |
> been trying to consolidate servers and users and what not. On the |
| 6 |
> Windows side this was fairly easily accomplished via Active Directory. |
| 7 |
> I've begun setting up our new Apple XRaid and it's cluster nodes. While |
| 8 |
> doing this I noticed that it has some built in support for Active |
| 9 |
> Directory authentication, which got me to thinking whether I could also |
| 10 |
> integrate all the Linux servers into this scheme. |
| 11 |
> |
| 12 |
> Basically I would like to use Active Directory to manage users, groups, |
| 13 |
> and passwords. Then have the Linux servers hit up against this using |
| 14 |
> LDAP to translate the uid and gids for some ssh access, filesystem |
| 15 |
> access via Samba and ftp, a few email accounts for use with |
| 16 |
> postfix/dovecot, web authentication, etc. I would also like to make |
| 17 |
> sure I can change passwords on the Linux side. |
| 18 |
> |
| 19 |
> My limited understanding says that this is similar to an OpenLDAP setup |
| 20 |
> through pam/nss with the further modification of remapping some |
| 21 |
> attributes to Active Directory ones (or altering the AD schema, which |
| 22 |
> seems unnecessary to me). Oh, and then there's Kerberos to deal with, |
| 23 |
> which I need to do some more research on. |
| 24 |
> |
| 25 |
> I would like to know if there's anyone out there who's tried to or |
| 26 |
> successfully accomplished this and whether it's any better or worse than |
| 27 |
> setting up a separate OpenLDAP server. I'd prefer to keep it in one |
| 28 |
> directory, but also don't want to cause myself any unnecessary headaches. |
| 29 |
|
| 30 |
I would look at Samba's winbind for this. I know people who have had |
| 31 |
great success with this approach and it is far less intense than what |
| 32 |
you are suggesting. |
| 33 |
|
| 34 |
-Mike |
| 35 |
|
| 36 |
-- |
| 37 |
________________________________ |
| 38 |
Michael E. Crute |
| 39 |
http://mike.crute.org |
| 40 |
|
| 41 |
I may not have gone where I intended to go, but I think I have ended |
| 42 |
up where I intended to be. --Douglas Adams |
| 43 |
-- |
| 44 |
gentoo-server@g.o mailing list |
Archives