Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] AD/LDAP authentication



On 12/13/2017 03:20 PM, Richard Pieri wrote:
> On a completely different topic from document conversion...
> 
> My employer has two Active Directory domains. I need to set up some
> Linux servers (RHEL, SUSE and Ubuntu) to use both domains for user
> authentication. Users get accounts on one or the other, never both. This
> is a mandate from Legal so the easy answer is off the table.

Is there some reason that you can't have a trust between the 2 domains? 
This is normally how one would implement what you're describing. Even a 
one-way trust should work, assuming you don't need group membership 
information.

> SSSD and Winbind work for binding to one domain or the other but I can't
> bind to both at the same time (Red Hat promised this in RHEL 7 but have
> yet to deliver). So I figure I can use AD for one domain and LDAP bind
> authentication for the other, or LDAP binds to each domain, but I can't
> either working.

If there were a trust you could authenticate to the domain with users 
from the trusted domain. A trust is basically that, the domain that 
you're joined to will trust credentials from the trusted domain.

> Yes, I'm doing something wrong. No, I don't know what. And, my Google-Fu
> is only finding single AD or LDAP auth server configurations. Has anyone
> here done anything like this before? Have any references you can point
> me at?

To be fair, you haven't said exactly what you're trying to do. Is this 
for a web application, a system service (SMB, FTP, etc.), or simply 
SSH/SFTP/Desktop access? There are other options in certain cases that 
don't require you to join the individual machines to the domain (SAML, 
third-party tools), so specifics would be helpful. Also you don't 
mention if you have a budget for this, as it's possible you can do this 
with commercial integrations that would have support beyond just a bunch 
of folks on blu (although I'm sure we offer better support than some :-).

Grant M.
-- 

Grant Mongardi
*Senior Systems Engineer*
*NAPC inc*
p: 781-894-3114
a: 307 Waverley Oaks Rd. Waltham, Ma 02452
w: www.napc.com  e: gmongardi at napc.com
<https://facebook.com/napcgroup>   <https://twitter.com/NAPCgroup>
<https://www.linkedin.com/company/205941/>



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org