Just throw-out for some thoughts I was musing on. In the windows world of old, you had your domains, each with a SID, and thus your users ended up with unique SIDs as the domain SID is prefixed to their user SIDs. Domain trust accounts could be established to enable users from other domains to authenticate to the local domain. All very easy to set up, though I've no idea how easy the arrangement is with the (to me) newer Active Directory way of doing things. Not really something I've played with thanks to Samba.
I've also never fully had the *nix/Linux way of achieving the same things explained to me either, but I'm guessing it involves something else I've never really played with (i.e. NIS) in some way. My current single-domain setup has side-stepped the issue (aka. cheating) by using LDAP for SSO through the use of PAM modules and the like, so in effect just sharing the backend between my independent machines. I might look into having full OpenLDAP installations on the machines replicating the server to make things a bit more robust, as currently it all falls apart if the network and/or server go down. However, I planned on setting up a second domain at another site, and whilst I'd like them to be fairly separate entities, I planned on bridging them with a VPN and being able to access them as easily as if they were in a similar setup to the Windows trusted domain arrangement; in effect just splitting the overall network rather than having two disjoint ones, though both would need to be able to operate should the other be unavailable. This raises a number of questions for me though, as having separate Linux "domains" raises the prospect of UID clashes that you don't get with the Windows way of doing things (and in Windows you can specify the domain part for situations where the same username is in use in both domains), and I'm not sure of the best way to arrange my LDAP tree to support lookups across multiple subtrees. I guess I could just make sure whatever I was using to add users was operating in distinct UID/GID ranges to avoid clashes. I kind of imagine I'd have to set up global lists of references (i.e. for the users) at the new higher tier in the LDAP tree, as I'm not sure how I'd specify multiple valid subtrees in the filters otherwise. There's always the option of just doing a full subtree search of the top level, but I have my users OU sub-categorised into various mutually-exclusive categories currently...which I guess is a sign I should be perhaps figuring out how to make my client software play nicely with proper LDAP groups instead. Might have a play with simply searching the whole tree and see how things go...it does kinda seem the only way to go, but I can't for the life of me find anything that tells me how to specify a group in a LDAP search filter. Plenty MS-specific stuff using a "memberof" attribute, but that's not how anything I have works currently. *sigh* Anyway, any random thoughts would be greatly appreciated. - Jamie
signature.asc
Description: OpenPGP digital signature