[Gllug] Integrating *nixen (mostly OSX) into MS Active Directory
Jose Luis Martinez
jjllmmss at googlemail.com
Fri Oct 24 16:43:51 UTC 2008
2008/10/23 Avi Greenbury <avismailinglistaccount at googlemail.com>:
>
> I want to argue that it is possible to achieve some AD integration with
> *nix OSs (I presume I can get quite a bit with an LDAP client?), but I'm
> having fun finding any real-world information on it.
Strictly speaking there is not such a thing as an LDAP client, what
you need is to investigate about kerberos and thank the community (Red
Hat mostly I believe) who have released kerberized applications that
can make use of a kerberos ticket.
Have a look at http://en.wikipedia.org/wiki/Single_sign-on , it may
start you in the right direction.
In general terms this is how a solution would work:
-User logins to Linux machine and is authenticated using LDAP data
(thus you need to configure your machine to talk to the AD server, no
experience with this, it may not be possible, or you may need to make
data dumps from AD to an LDAP server than could talk to your client,
in synthesis terrible tricky).
-Once user is logged in he has to get a kerberos ticket (this may be automated).
-Once the kerberos ticket is obtained the user launches applications
that can use such tickets and thus require no further authentication
(lets say an email client, who no longer would ask you IMAP or POP3
information to check your email, which is what happens with Outlook in
the MS world).
>
> Have any of you got any experience of it, and how successful were you?
> I'm currently more after an idea of what is possible than an explanation
> of exactly how I do it (with a bit of luck I'll be back for that shortly).
>
It is not a trivial exercise, separating the machines for
authentication purposes is perfectly doable and perhaps the easiest
route, but security should not be really mentioned as an issue. If the
AD servers are configured correctly I fail to see why a non MS client
would be more insecure.
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list