On 3/19/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: > On Sun, Mar 19, 2006 at 10:42:53AM +0400, Bruno Carnazzi wrote: > > Hi misc, > > > > At work, we are running a Microsoft Active Directory for our Windows > > Domain, who mainly provided Windows Desktop for our customers and > > centralized authentication. We have also several OpenBSD & Linux boxes > > for some DNS, SFTP, Squid, CVS and also several Web-apps. We'd like to > > centralize these Unix authentication... Is there a way to authenticate > > directly over a MS Domain Controller ? How can this be achieved > > (Kerberos, LDAP..?) ? Also, is it a good idea ? :) What are the > > alternatives (building an OpenLDAP server, Kerberos, (we don't wan't > > NIS !)) ? > > > > Hope somebody has some advice to share, > > There are many, many solutions. If it's just servers with a limited > number of accounts, rdist(8) works just fine, and saves a lot of > complicated stuff that takes time to set up and breaks occasionally. It > could be scripted if you want to fully automate something. > > For a more complete solution, I am pretty sure there is a Linux PAM > module to authenticate against their AD implementation (it's part of > SAMBA, IIRC). Not sure about OpenBSD. > > Also, once the user accounts are synchronized, you'd probably be able to > tell a Kerberos client to talk to the AD server. I've never tried it, > but it should work - more or less. See the info pages for heimdal on > OpenBSD. > > Joachim > >
Active Directory has an LDAP interface on the domain controllers. You could opt to authenticate directory against the AD tree or replicate the tree entirely or partially to openldap and manage/use that tree. Seems that some LDAP implementations have problem replicating password information, though I can't remember the specifics. This page a little info that may help: http://www.wlug.org.nz/ActiveDirectoryAuthenticationNotes Axton Grams
