1 |
Longman, Bill wrote: |
2 |
>> I've recently begun administrating a site that has about 20 Linux |
3 |
>> servers of various flavors, another 25 Windows 2003 servers, |
4 |
>> and soon 15 |
5 |
>> Apple Xserves. Previously no real policies of any sort |
6 |
>> existed, so I've |
7 |
>> been trying to consolidate servers and users and what not. On the |
8 |
>> Windows side this was fairly easily accomplished via Active |
9 |
>> Directory. |
10 |
>> I've begun setting up our new Apple XRaid and it's cluster |
11 |
>> nodes. While |
12 |
>> doing this I noticed that it has some built in support for Active |
13 |
>> Directory authentication, which got me to thinking whether I |
14 |
>> could also |
15 |
>> integrate all the Linux servers into this scheme. |
16 |
>> |
17 |
>> Basically I would like to use Active Directory to manage |
18 |
>> users, groups, |
19 |
>> and passwords. Then have the Linux servers hit up against this using |
20 |
>> LDAP to translate the uid and gids for some ssh access, filesystem |
21 |
>> access via Samba and ftp, a few email accounts for use with |
22 |
>> postfix/dovecot, web authentication, etc. I would also like to make |
23 |
>> sure I can change passwords on the Linux side. |
24 |
>> |
25 |
>> My limited understanding says that this is similar to an |
26 |
>> OpenLDAP setup |
27 |
>> through pam/nss with the further modification of remapping some |
28 |
>> attributes to Active Directory ones (or altering the AD schema, which |
29 |
>> seems unnecessary to me). Oh, and then there's Kerberos to |
30 |
>> deal with, |
31 |
>> which I need to do some more research on. |
32 |
>> |
33 |
>> I would like to know if there's anyone out there who's tried to or |
34 |
>> successfully accomplished this and whether it's any better or |
35 |
>> worse than |
36 |
>> setting up a separate OpenLDAP server. I'd prefer to keep it in one |
37 |
>> directory, but also don't want to cause myself any |
38 |
>> unnecessary headaches. |
39 |
> |
40 |
> I've looked into this same thing, Brian. I have one XServe, and lots of the |
41 |
> other servers - Win2k3, Win2k, Linux, Solaris. One of the things that you |
42 |
> might consider is looking at Windows Services for Unix. You can then put the |
43 |
> UID/GID info in AD. |
44 |
> |
45 |
> You should look at winbind, ldap, ldapsam and kerberos USE flags. Prolly |
46 |
> pam, too. |
47 |
> |
48 |
> Bill |
49 |
|
50 |
I would agree on all of those except for kerberos. If you want to know |
51 |
why there's plenty of articles on the web that will help you realize why |
52 |
it's bad. ldap and windbind are my first two choices |
53 |
|
54 |
Kyle |
55 |
-- |
56 |
gentoo-server@g.o mailing list |