On Thu, Jul 17, 2008 at 3:58 PM, Bill Lambert <[EMAIL PROTECTED]> wrote: > We have an extremely large customer that would like to be able to use SSO so > their users can log into Active Directory and use the same credentials to an > intranet site that is Linux based. The application currently uses LDAP > authentication and the passwords are also stored in the database of the > application.
This is definitely possible, in the general case. There are two approachs to this kind of thing, get Linux to speak Microsoft protocol to the Windows box, or get the Windows box to speak Unix protocol to the Linux box. Either one can work. Linux can act as an Active Directory domain member using Samba and "winbind". This can give you full user account information, including groups, password authentication, etc. I've done this; it works pretty good. Advantages: No need to learn about Unix protocols. Disadvantages: Integration may not be as "smooth", as the Windows network protocols aren't designed to support Unix concepts. Linux can speak Kerberos and LDAP, two protocols which Active Directory is built on. I've successfully queried AD using LDAP from Linux to get information like names, email addresses, and groups. I've never tried to do password authentication with this. Advantages: LDAP can store just about anything you want, including Unix account info. Disadvantages: I remember reading that Microsoft used some proprietary extensions to Kerb/LDAP to implement password authentication, which the standard stuff on Linux might not support. Windows can supposedly speak Unix protocols (like NFS and NIS/YP) to Linux. Never tried this. Advantages: Unix software think they're talking to a Windows box, which might yield smoother integration. Disadvantages: You have to figure out all that stuff. Some of this stuff might need Windows Services For Unix (SFU), or whatever they're calling it now, but that's supposed to be a "free" add-on. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
