On Thu, Feb 7, 2019 at 3:36 PM Fabian Thorns <[email protected]> wrote: > however, we should be clear if we want to focus on authorization against an > Active Directory or dig deeper into Linux-specific management functionality. > Anyone opinions on that one?
To me, there are now only three (3), common, open source scenarios for AD to Linux, with some overlap. 1) Samba Services The AD-LDAP and MS-Kerberos reference for file/object reference and authentication when users come from Windows systems I.e., Windows clients to Linux Servers 2) AD Forest Trust with IPA The Cross-Forest (Kerberos REALMs) trusts with IPA, where AD and IPA principals are used in both AD and IPA domains. I.e., Windows clients and servers in AD Forest with IPA clients and servers in IPA Domain E.g., AD users on Windows clients (user@AD-REALMs principals) can access IPA resources (Samba, Middleware and others), and IPA users on Linux clients (user@IPA-REALM principals) can access AD resources (CIFS, Middleware and others). 3) Linux client SSSD Enumeration This is where there is no IPA or LDAP, and only AD is used. The Linux clients need to be setup to enumerate UID, GID and assume homedir, etc... attributes as they are not stored in AD.** This is akin to old Samba Winbindd (inferior) and most of the 'free (as in beer)' Linux clients for AD. SSSD does the same things, and more. Everything else would not be open source, or more fringe usage. Please correct me if I'm wrong on eDirectory, although I consider eDirectory to be more akin to 389, and way, way too in-depth general LDAP, unlike IPA. I.e., in all honesty, if people aren't using SSSD, and still using pam_krb5 and pam_ldap to access AD, understand those codebases are not well maintained (and lack many compliance aspects), even if openldap libs have been updated for SSSD (lot of libnss mergers into openldap libs). - bjs DISCLAIMER: I am strongly opinioned based on my experiences, but I am extremely open to other views, based on experiences I do not have and/or are ignorant of. But please no 'free beer' stuff (SSSD Enumeration does most of those, and more), let alone proprietary (the very costly version of their AD connectors for Linux, that are 3 figures/node at times). **P.S. AD IDMU (IdM for UNIX) was deprecated in 2012R2 and no longer in 2016+. Ref: https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/ -- Bryan J Smith - http://www.linkedin.com/in/bjsmith E-mail: b.j.smith at ieee.org or me at bjsmith.me _______________________________________________ lpi-examdev mailing list [email protected] https://list.lpi.org/mailman/listinfo/lpi-examdev
