On Thursday 10 May 2007 08:49:12 Trevor Dell wrote: > I'm interested in your 'work around'.. I've seen some complex ways to > set up Solaris (is that what you're using?) to authenticate from an AD. > Most were way beyond what we need. Do you have ldap in your > nsswitch.conf, and wrote the queries?
Hi Trev, Yep, we're on Solaris. For our purposes we wanted a single username/password experience. In our environment this means active directory auth. These solutions allow Active Directory users to log into the systems as normal, and thus works with SGD's unix auth. We are currently using a commercial product callled Centrify DirectControl which provides the needed nsswitch/pam functionality. But we are/have also looked at samba's winbind which more or less does the same thing, and looks like it would make a good replacement at around 3.0.26 which is a few months away. Another option is to use the Windows 2003 r2 schema which incorporates the MS Services for Unix bits, which allows you to save the unix fields such as uid and gid into active directory. From there you should be able to set up ldap or ldap/kerberos auth, but we ran out of time last summer to fully test/implement that solution. We also have the added complications of having multiple domains in which to authenticate users, so if you are on a single domain either the ldap/kerberos or winbind ways will probably work for you without too much trouble. I've not seen any way to get kerberos to function for more than one domain and have users from any domain be able to authenticate to the system. Since I work in education we try to minimize our changes during the semester, thus this summer will be the time we spring back into testing. So if anyone has any ideas for SGD's AD auth, now would be a great time ;) Hope that helps, Christian McHugh Northern Arizona University _______________________________________________ SGD-Users mailing list [email protected] http://node1.filibeto.org/mailman/listinfo/sgd-users
