|
I did a pretty involved investigation of
it last summer: If all you are looking to do is sign on to the operating system
(logon in Unix), then you can set up a PAM module to do that. It’s
not too hard, but you do need Kerberos installed on the *nix side, which isn’t
always the case by default. (In Server 2003 setting up a Kerberos trust
is even part of the Trust Wizard.) With 2003R2 or FSU installed, AD can integrate
with Vintela (now owned by Quest) and Centrify
do a lot more and integrate nicely with the ADUC GUIs. The problem with
doing it yourself is in a heterogeneous environment your Unix side is likely to
be very heterogeneous in itself, forcing you to multiple solutions to integrate
with AD. Then there’s the question of integrating the web servers
(Apache, for ex) and applications. Also, you need somebody who
understands both Unix and Windows authentication. Apple has its own AD integration guide for
the Mac but I have not looked into it. But can it be done? Absolutely. The
technology is there. Al Maurer From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe The proper answer is to kerberize the
non-MS platforms. This is not always that easy, I have known grown men who have
started crying trying to do it. Kerberos is not easy to wrap your noodle
around. That is why products from Centrify and Vintela are so great for
companies, it makes this something that can be done in days, weeks, months
instead of years (I am serious, I know of a large company that went a couple of
years trying to figure out how to do this well and finally just purchased
Centrify products to do it, would have saved a fortune had that decision been
made initially and if the product had existed). You especially want to look at
these products if you have a multidomain forest (called Multiple-realm in the
Kerberos world) or do anything a bit different from the standard such as
disjoint namespaces, etc. Also they have Group Policy pieces in their products
to help manage the non-MS platform machines which could be extremely helpful. You have other options such as using LDAP
in PAM modules but anytimes someone says they are using LDAP for authentication
my mind immediately kicks back, LDAP isn't an authentication protocol. Sure it
has to authenticate users as part of the accessing of the directory, but that
isn't the purpose behind it and there are issues that can crop up when you try
to do it like for instance passwords in clear text flying all over the network.
You can also look at using SAMBA but last I heard, the integration across the
various aspects of the platform were nowhere near what you get out of the
Centrify and Vintela products. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pennell, Ronald B. Let say that I want to have a single logon
for my users who use windows and Unix/Linux platforms. They must maintain separate user account
and passwords. I would like to combine them into the AD. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Let's attack from another angle then. What is the end state of
what you're trying to accomplish? In other words, what is it you want to
be able to do with these machines and what does "integrate" mean to
you? Al On 1/5/06, Did not find what I was looking for on the Archives. I realize that this is kind of a broad subject. But, I
guess I can say that most issues can be solved by using "middleware"
products Like SAMBA for unix for file and print. I know in my present organization, my Linux, Unix servers
contain their own directory services (user accounts, passwds, etc.) They have not been integrated into the AD, therefore we do
not have the single sign-on for users. Ron From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Al Mulnick The
archives of this list would be a good place to start. You may also want
to check out the web sites of centrify and vintella for additional information
about it as well as the samba.org
. Al On
1/5/06, Can
anyone point me to information on or related to the following |
