> I've recently begun administrating a site that has about 20 Linux > servers of various flavors, another 25 Windows 2003 servers, > and soon 15 > Apple Xserves. Previously no real policies of any sort > existed, so I've > been trying to consolidate servers and users and what not. On the > Windows side this was fairly easily accomplished via Active > Directory. > I've begun setting up our new Apple XRaid and it's cluster > nodes. While > doing this I noticed that it has some built in support for Active > Directory authentication, which got me to thinking whether I > could also > integrate all the Linux servers into this scheme. > > Basically I would like to use Active Directory to manage > users, groups, > and passwords. Then have the Linux servers hit up against this using > LDAP to translate the uid and gids for some ssh access, filesystem > access via Samba and ftp, a few email accounts for use with > postfix/dovecot, web authentication, etc. I would also like to make > sure I can change passwords on the Linux side. > > My limited understanding says that this is similar to an > OpenLDAP setup > through pam/nss with the further modification of remapping some > attributes to Active Directory ones (or altering the AD schema, which > seems unnecessary to me). Oh, and then there's Kerberos to > deal with, > which I need to do some more research on. > > I would like to know if there's anyone out there who's tried to or > successfully accomplished this and whether it's any better or > worse than > setting up a separate OpenLDAP server. I'd prefer to keep it in one > directory, but also don't want to cause myself any > unnecessary headaches.
I've looked into this same thing, Brian. I have one XServe, and lots of the other servers - Win2k3, Win2k, Linux, Solaris. One of the things that you might consider is looking at Windows Services for Unix. You can then put the UID/GID info in AD. You should look at winbind, ldap, ldapsam and kerberos USE flags. Prolly pam, too. Bill -- [email protected] mailing list
