Active Directory Based Authentication?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Active Directory Based Authentication?

Pandu Poluan

Hello list,

I just want to know, what is your recommendation(s) to implement Active Directory authentication on Gentoo?

I want to use AD not only for logins, but also for running daemons/services.

*Ideally*, it would also allow me to manage my boxen using GPO, but I can live without that.

Rgds,

Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Based Authentication?

Matthew Thode (prometheanfire)
On 05/10/2012 10:36 PM, Pandu Poluan wrote:

> Hello list,
>
> I just want to know, what is your recommendation(s) to implement Active
> Directory authentication on Gentoo?
>
> I want to use AD not only for logins, but also for running daemons/services.
>
> *Ideally*, it would also allow me to manage my boxen using GPO, but I can
> live without that.
>
> Rgds,
>
Not trying to be rude or anything, but it's easier then providing
multiple links.

http://lmgtfy.com/?q=active+directory+authentication+linux


--
-- Matthew Thode (prometheanfire)


signature.asc (918 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Based Authentication?

Brian Kroth
In reply to this post by Pandu Poluan
Pandu Poluan <[hidden email]> 2012-05-11 10:36:
>   Hello list,
>
>   I just want to know, what is your recommendation(s) to implement Active
>   Directory authentication on Gentoo?

Attribute data can be stored/retrieved in ldaps (as in AD usually only
allows authenticated binds to retrieve data and it requires an ssl
connection to do that, other than that it's really just ldap).

Authentication can be done either via ldaps or kerberos, though I
personally find the later to be extra complication that's usually
unnecessary.

As someone else mentioned, there's a wealth of data out there on how to
do this in any number of schemes (eg: libnss-ldap, libpam-ldap, sssd,
etc.).

>   I want to use AD not only for logins, but also for running
>   daemons/services.

I don't see the distinction.  Either way it seems you're concerned with
authenticating users and doing attribute lookups on them.

>   *Ideally*, it would also allow me to manage my boxen using GPO, but I can
>   live without that.

I'm not personally aware of anything that does that.  If there is, it's
probably something like redhat/suse specific.

However, I believe it is possible to use a samba4 host as a domain
controller to serve GPs to windows clients.

Cheers,
Brian

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Based Authentication?

Vinícius Ferrão
In reply to this post by Pandu Poluan
Hello Pandu,

I have done a implementation using a daemon named sssd. It's sponsored by the Fedora Project if I remember correctly.

It supports 2008r2 AD without much hassle. I've setup everything relying on LDAP for information and Kerberos for authentication. So you don't need things like nss-ldap, nslcd, nscd and other old services. You can handle almost everything with SSSD. And even better: SSSD supports offline server authentication in the case of your AD is down or not reachable at the moment.

I can send you some links in the night (Brazilian night) when I will be at home.

Sent from my iPhone

On 11/05/2012, at 00:36, Pandu Poluan <[hidden email]> wrote:

Hello list,

I just want to know, what is your recommendation(s) to implement Active Directory authentication on Gentoo?

I want to use AD not only for logins, but also for running daemons/services.

*Ideally*, it would also allow me to manage my boxen using GPO, but I can live without that.

Rgds,

Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Based Authentication?

Matthew Thode (prometheanfire)
On 05/11/2012 09:51 AM, Vinícius Ferrão wrote:

> Hello Pandu,
>
> I have done a implementation using a daemon named sssd. It's sponsored by the Fedora Project if I remember correctly.
>
> It supports 2008r2 AD without much hassle. I've setup everything relying on LDAP for information and Kerberos for authentication. So you don't need things like nss-ldap, nslcd, nscd and other old services. You can handle almost everything with SSSD. And even better: SSSD supports offline server authentication in the case of your AD is down or not reachable at the moment.
>
> I can send you some links in the night (Brazilian night) when I will be at home.
>
> Sent from my iPhone
>
> On 11/05/2012, at 00:36, Pandu Poluan <[hidden email]> wrote:
>
>> Hello list,
>>
>> I just want to know, what is your recommendation(s) to implement Active Directory authentication on Gentoo?
>>
>> I want to use AD not only for logins, but also for running daemons/services.
>>
>> *Ideally*, it would also allow me to manage my boxen using GPO, but I can live without that.
>>
>> Rgds,
>
I can attest to how awesome sssd is.  I use it for linux server to linux
client, but the concept is still the same.

--
-- Matthew Thode (prometheanfire)


signature.asc (918 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Based Authentication?

Pandu Poluan
In reply to this post by Matthew Thode (prometheanfire)


On May 11, 2012 9:16 PM, "Matthew Thode" <[hidden email]> wrote:
>
> On 05/10/2012 10:36 PM, Pandu Poluan wrote:
> > Hello list,
> >
> > I just want to know, what is your recommendation(s) to implement Active
> > Directory authentication on Gentoo?
> >
> > I want to use AD not only for logins, but also for running daemons/services.
> >
> > *Ideally*, it would also allow me to manage my boxen using GPO, but I can
> > live without that.
> >
> > Rgds,
> >
> Not trying to be rude or anything, but it's easier then providing
> multiple links.
>
> http://lmgtfy.com/?q=active+directory+authentication+linux
>
>

I *already* Googled for answers. I got lots of _alternatives_ but not enough _experience-based_recommendations_.

Rgds,

Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Based Authentication?

Pandu Poluan
In reply to this post by Brian Kroth


On May 11, 2012 9:30 PM, "Brian Kroth" <[hidden email]> wrote:
>
> Pandu Poluan <[hidden email]> 2012-05-11 10:36:
>
>>  Hello list,
>>
>>  I just want to know, what is your recommendation(s) to implement Active
>>  Directory authentication on Gentoo?
>
>
> Attribute data can be stored/retrieved in ldaps (as in AD usually only allows authenticated binds to retrieve data and it requires an ssl connection to do that, other than that it's really just ldap).
>
> Authentication can be done either via ldaps or kerberos, though I personally find the later to be extra complication that's usually unnecessary.
>
> As someone else mentioned, there's a wealth of data out there on how to do this in any number of schemes (eg: libnss-ldap, libpam-ldap, sssd, etc.).
>
>
>>  I want to use AD not only for logins, but also for running
>>  daemons/services.
>
>
> I don't see the distinction.  Either way it seems you're concerned with authenticating users and doing attribute lookups on them.
>
>
>>  *Ideally*, it would also allow me to manage my boxen using GPO, but I can
>>  live without that.
>
>
> I'm not personally aware of anything that does that.  If there is, it's probably something like redhat/suse specific.
>
> However, I believe it is possible to use a samba4 host as a domain controller to serve GPs to windows clients.
>

PowerBroker (née Likewise) claims that it can manage Linux boxen via GPO...

... but in my case I think I'll just force my subordinates to learn puppet *heh*heh*

Rgds,

Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Based Authentication?

Pandu Poluan
In reply to this post by Matthew Thode (prometheanfire)


On May 12, 2012 4:28 AM, "Matthew Thode" <[hidden email]> wrote:
>
> On 05/11/2012 09:51 AM, Vinícius Ferrão wrote:
> > Hello Pandu,
> >
> > I have done a implementation using a daemon named sssd. It's sponsored by the Fedora Project if I remember correctly.
> >
> > It supports 2008r2 AD without much hassle. I've setup everything relying on LDAP for information and Kerberos for authentication. So you don't need things like nss-ldap, nslcd, nscd and other old services. You can handle almost everything with SSSD. And even better: SSSD supports offline server authentication in the case of your AD is down or not reachable at the moment.
> >
> > I can send you some links in the night (Brazilian night) when I will be at home.
> >
> > Sent from my iPhone
> >
> > On 11/05/2012, at 00:36, Pandu Poluan <[hidden email]> wrote:
> >
> >> Hello list,
> >>
> >> I just want to know, what is your recommendation(s) to implement Active Directory authentication on Gentoo?
> >>
> >> I want to use AD not only for logins, but also for running daemons/services.
> >>
> >> *Ideally*, it would also allow me to manage my boxen using GPO, but I can live without that.
> >>
> >> Rgds,
> >
> I can attest to how awesome sssd is.  I use it for linux server to linux
> client, but the concept is still the same.
>

Ahaha, this is what I've been looking for: a recommendation backed by experience ;-)

Thanks for the heads up, guys! Honestly, this is the first time I ever heard of SSSD. Sounds very interesting... I'll certainly look into it.

Rgds,