[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment

To: Nathan Hruby <nhruby@xxxxxxx>
Subject: Re: [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment
From: Howard Chu <hyc@xxxxxxxxx>
Date: Tue, 15 Jan 2008 08:03:50 -0800
Cc: Erling Ringen Elvsrud <erlingre@xxxxxxxxx>, sage-members@xxxxxxxx
In-reply-to: <fc6bb850801150721m7b661ed7l838810c7917b5636@xxxxxxxxxxxxxx>
References: <664c5a070801150350o531c2cdel4a8c57f55d6b63f9@xxxxxxxxxxxxxx> <fc6bb850801150721m7b661ed7l838810c7917b5636@xxxxxxxxxxxxxx>
Sender: owner-sage-members@xxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b3pre) Gecko/2008010217 SeaMonkey/2.0a1pre

Nathan Hruby wrote:

On Jan 15, 2008 5:50 AM, Erling Ringen Elvsrud <erlingre@xxxxxxxxx> wrote:

Hello list,

I work for a fairly large organization and will probably  be involved
in planning, installing and maintaining
a LDAP based directory service this year. The directory will be
mainly used to authenticate developers and systems administrators that
need to access RH Linux servers  (and also maybe HP-UX in the future).
Microsoft AD is used elsewhere in the organization to authenticate
users of Windows based desktop computers. The best solution  would
be to use AD to authenticate users of Unix computers as well, but I'm
not sure if it is possible to make that solution work.


Depending on your AD forest and how willing your AD admins are to
working with you, this is a perfectly viable option.  Samba offers the
winbind daemon which can talk to AD, and in AD 2003-r2 they've fixed a
good number of the compatibility issues between windows and
non-windows hosts.  There are also several companies that offer
integration solutions for Unix+AD.

Yes, it can be made to work. But among all the things which AD does poorly(which is, most of them), LDAP authentication is one of the worst. I guesswith only 200 active users you should be OK. (LDAP searching is pretty lame onAD too.)


http://connexitor.com/blog/pivot/entry.php?id=185

I'll warn against "having another directory" unless you plan to keep
the two in-sync.  Multiple identity stores in a large organization
never ends up helping.

Agrred, but sometimes it's a necessary evil, until a better solution can bedeployed. (Though as we all know, temporary stopgap measures have a tendencyto become permanent...)

Here are a few links that may (or may not) be helpful:
- http://www.quest.com/landing/?ID=1025&AdCode=GoogleAdTextADtoUnixLinuxJava06052007
- http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/
- http://gentoo-wiki.com/HOWTO_Active_Directory_with_Samba_and_Winbind

-n



--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

Follow-Ups:
- Re: [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment
  - From: Richard Chycoski
- Re: [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment
  - From: Nathan Hruby

References:
- [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment
  - From: Erling Ringen Elvsrud
- Re: [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment
  - From: Nathan Hruby

Prev by Date: Re: [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment
Next by Date: Re: [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment
Previous by thread: Re: [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment
Next by thread: Re: [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment
Index(es):
- Date
- Thread