1 |
> I've recently begun administrating a site that has about 20 Linux |
2 |
> servers of various flavors, another 25 Windows 2003 servers, |
3 |
> and soon 15 |
4 |
> Apple Xserves. Previously no real policies of any sort |
5 |
> existed, so I've |
6 |
> been trying to consolidate servers and users and what not. On the |
7 |
> Windows side this was fairly easily accomplished via Active |
8 |
> Directory. |
9 |
> I've begun setting up our new Apple XRaid and it's cluster |
10 |
> nodes. While |
11 |
> doing this I noticed that it has some built in support for Active |
12 |
> Directory authentication, which got me to thinking whether I |
13 |
> could also |
14 |
> integrate all the Linux servers into this scheme. |
15 |
> |
16 |
> Basically I would like to use Active Directory to manage |
17 |
> users, groups, |
18 |
> and passwords. Then have the Linux servers hit up against this using |
19 |
> LDAP to translate the uid and gids for some ssh access, filesystem |
20 |
> access via Samba and ftp, a few email accounts for use with |
21 |
> postfix/dovecot, web authentication, etc. I would also like to make |
22 |
> sure I can change passwords on the Linux side. |
23 |
> |
24 |
> My limited understanding says that this is similar to an |
25 |
> OpenLDAP setup |
26 |
> through pam/nss with the further modification of remapping some |
27 |
> attributes to Active Directory ones (or altering the AD schema, which |
28 |
> seems unnecessary to me). Oh, and then there's Kerberos to |
29 |
> deal with, |
30 |
> which I need to do some more research on. |
31 |
> |
32 |
> I would like to know if there's anyone out there who's tried to or |
33 |
> successfully accomplished this and whether it's any better or |
34 |
> worse than |
35 |
> setting up a separate OpenLDAP server. I'd prefer to keep it in one |
36 |
> directory, but also don't want to cause myself any |
37 |
> unnecessary headaches. |
38 |
|
39 |
I've looked into this same thing, Brian. I have one XServe, and lots of the |
40 |
other servers - Win2k3, Win2k, Linux, Solaris. One of the things that you |
41 |
might consider is looking at Windows Services for Unix. You can then put the |
42 |
UID/GID info in AD. |
43 |
|
44 |
You should look at winbind, ldap, ldapsam and kerberos USE flags. Prolly |
45 |
pam, too. |
46 |
|
47 |
Bill |
48 |
-- |
49 |
gentoo-server@g.o mailing list |