Chris Samuel <[EMAIL PROTECTED]> writes: > They have assured us that we can just their ADSs as > if they are LDAP servers, which is OK, but it looks > like Linux doesn't really want to know about using > multiple LDAP servers except in a failover/round-robin > situation.
Having completely separate ADs for staff and students seems odd... Why doesn't it work to have two `sufficient' cases of pam_ldap with different `config' args pointing to different servers? However, LDAP isn't an authentication protocol. Use Kerberos for authentication. If two cases of pam_krb5 with different `realm' args doesn't work (as it should with Russ Allbery's version in Debian), you should be able to drop in a ~/.k5login for each user to authenticate with a principal in the appropriate realm (Windows domain, or whatever the correct AD terminology is). See the doc for whichever pam_krb5 you have, or use http://www.eyrie.org/~eagle/software/pam-krb5/. > Our current best guess is to get an LDIF dump of > the users who are to be given access (signified > by an LDAP attribute) and then load those into a > local OpenLDAP or FDS server. [Can't OpenLDAP just refer to the AD LDAPs?] You could also set up your own Kerberos to do cross-real authentication to AD, but I doubt you need to. _______________________________________________ Beowulf mailing list, [email protected] To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
