Longman, Bill wrote: >> I've recently begun administrating a site that has about 20 Linux >> servers of various flavors, another 25 Windows 2003 servers, >> and soon 15 >> Apple Xserves. Previously no real policies of any sort >> existed, so I've >> been trying to consolidate servers and users and what not. On the >> Windows side this was fairly easily accomplished via Active >> Directory. >> I've begun setting up our new Apple XRaid and it's cluster >> nodes. While >> doing this I noticed that it has some built in support for Active >> Directory authentication, which got me to thinking whether I >> could also >> integrate all the Linux servers into this scheme. >> >> Basically I would like to use Active Directory to manage >> users, groups, >> and passwords. Then have the Linux servers hit up against this using >> LDAP to translate the uid and gids for some ssh access, filesystem >> access via Samba and ftp, a few email accounts for use with >> postfix/dovecot, web authentication, etc. I would also like to make >> sure I can change passwords on the Linux side. >> >> My limited understanding says that this is similar to an >> OpenLDAP setup >> through pam/nss with the further modification of remapping some >> attributes to Active Directory ones (or altering the AD schema, which >> seems unnecessary to me). Oh, and then there's Kerberos to >> deal with, >> which I need to do some more research on. >> >> I would like to know if there's anyone out there who's tried to or >> successfully accomplished this and whether it's any better or >> worse than >> setting up a separate OpenLDAP server. I'd prefer to keep it in one >> directory, but also don't want to cause myself any >> unnecessary headaches. > > I've looked into this same thing, Brian. I have one XServe, and lots of the > other servers - Win2k3, Win2k, Linux, Solaris. One of the things that you > might consider is looking at Windows Services for Unix. You can then put the > UID/GID info in AD. > > You should look at winbind, ldap, ldapsam and kerberos USE flags. Prolly > pam, too. > > Bill
I would agree on all of those except for kerberos. If you want to know why there's plenty of articles on the web that will help you realize why it's bad. ldap and windbind are my first two choices Kyle -- [email protected] mailing list
