On Sun, Mar 19, 2006 at 10:42:53AM +0400, Bruno Carnazzi wrote:
> Hi misc,
>
> At work, we are running a Microsoft Active Directory for our Windows
> Domain, who mainly provided Windows Desktop for our customers and
> centralized authentication. We have also several OpenBSD & Linux boxes
> for some DNS, SFTP, Squid, CVS and also several Web-apps. We'd like to
> centralize these Unix authentication... Is there a way to authenticate
> directly over a MS Domain Controller ? How can this be achieved
> (Kerberos, LDAP..?) ? Also, is it a good idea ? :) What are the
> alternatives (building an OpenLDAP server, Kerberos, (we don't wan't
> NIS !)) ?
>
> Hope somebody has some advice to share,
There are many, many solutions. If it's just servers with a limited
number of accounts, rdist(8) works just fine, and saves a lot of
complicated stuff that takes time to set up and breaks occasionally. It
could be scripted if you want to fully automate something.
For a more complete solution, I am pretty sure there is a Linux PAM
module to authenticate against their AD implementation (it's part of
SAMBA, IIRC). Not sure about OpenBSD.
Also, once the user accounts are synchronized, you'd probably be able to
tell a Kerberos client to talk to the AD server. I've never tried it,
but it should work - more or less. See the info pages for heimdal on
OpenBSD.
Joachim
