Authenticating To Multiple LDAP ServersLDAP on openSUSEmod_authnz_ldap bind as authenticating user instead of...
Are personality traits, ideals, bonds, and flaws required?
Are professors obligated to accept supervisory role? If not, how does it work?
After a few interviews, What should I do after told to wait?
How strong is aircraft-grade spruce?
Poor management handling of recent sickness and how to approach my return?
Capacitors with same voltage, same capacitance, same temp, different diameter?
Friend is very nitpicky about side comments I don't intend to be taken too seriously
Do aarakocra have arms as well as wings?
Isn't that (two voices leaping to C like this) a breaking of the rules of four-part harmony?
Contour plot of a sequence of spheres with increasing radius
Short story: Interstellar inspector senses "off" nature of planet hiding aggressive culture
Why does low tire pressure decrease fuel economy?
How should we understand "unobscured by flying friends" in this context?
Does the 2019 UA artificer need to prepare the Lesser Restoration spell to cast it with their Alchemical Mastery feature?
Why would an airport be depicted with symbology for runways longer than 8,069 feet even though it is reported on the sectional as 7,200 feet?
Methods and Feasibility of Antimatter Mining?
Owner keeps cutting corners and poaching workers for his other company
How do Scrum teams manage their dependencies on other teams?
What can we do about our 9-month-old putting fingers down his throat?
What is the difference between a translation and a Galilean transformation?
How can Schrödinger's cat be both dead and alive?
Can multiple public keys lead to the same shared secret in x25519?
How to reference a custom counter that shows section number?
Is there a specific way to describe over-grown, old, tough vegetables?
Authenticating To Multiple LDAP Servers
LDAP on openSUSEmod_authnz_ldap bind as authenticating user instead of anonymouslyLDAP and NFS on two different serversHow do I view multiple users groups using sssd?authenticating ldap users with searchguard for elasticsearchHow to connect Kerberos with multiple LDAP servers?Central user management with multiple servers with SSH keys, LDAP?LDAP authentication and default groupsRegarding PAM via ldapcannot authenticate via LDAP as user has multiple UIDs
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
Owing to a corporate strategy I am moving human user authentication from an implementation of LDAP locally to a centralized Active Directory domain. The problem is that we have a tightly constrained sudoers setup within LDAP. Our Windows admins are unable to mirror this setup without considerable work and possibly not even completely if the time is devoted. An idea that was posed was this:
Authenticate to Active Directory but maintain sudoers management within our existing LDAP infrastructure.
The question then is it possible to either authenticate using an alternate method/server for AD so I can have LDAP for sudoers and something alternative for passwd in /etc/nsswitch.conf?
Due to scale, maintaining local /etc/sudoers files for each guest would be administratively prohibitive and a step back in terms of architecture and scalability.
authentication ldap sles
edited Aug 18 '14 at 22:56
Braiam
24.8k20 gold badges82 silver badges147 bronze badges
asked Aug 18 '14 at 22:47
G3zVMG3zVM
63 bronze badges
bumped to the homepage by Community♦ 40 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
Owing to a corporate strategy I am moving human user authentication from an implementation of LDAP locally to a centralized Active Directory domain. The problem is that we have a tightly constrained sudoers setup within LDAP. Our Windows admins are unable to mirror this setup without considerable work and possibly not even completely if the time is devoted. An idea that was posed was this:
Authenticate to Active Directory but maintain sudoers management within our existing LDAP infrastructure.
The question then is it possible to either authenticate using an alternate method/server for AD so I can have LDAP for sudoers and something alternative for passwd in /etc/nsswitch.conf?
Due to scale, maintaining local /etc/sudoers files for each guest would be administratively prohibitive and a step back in terms of architecture and scalability.
authentication ldap sles
edited Aug 18 '14 at 22:56
Braiam
24.8k20 gold badges82 silver badges147 bronze badges
asked Aug 18 '14 at 22:47
G3zVMG3zVM
63 bronze badges
bumped to the homepage by Community♦ 40 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
2
I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.
– Patrick
Aug 19 '14 at 4:41
add a comment |
Owing to a corporate strategy I am moving human user authentication from an implementation of LDAP locally to a centralized Active Directory domain. The problem is that we have a tightly constrained sudoers setup within LDAP. Our Windows admins are unable to mirror this setup without considerable work and possibly not even completely if the time is devoted. An idea that was posed was this:
Authenticate to Active Directory but maintain sudoers management within our existing LDAP infrastructure.
The question then is it possible to either authenticate using an alternate method/server for AD so I can have LDAP for sudoers and something alternative for passwd in /etc/nsswitch.conf?
Due to scale, maintaining local /etc/sudoers files for each guest would be administratively prohibitive and a step back in terms of architecture and scalability.
authentication ldap sles
edited Aug 18 '14 at 22:56
Braiam
24.8k20 gold badges82 silver badges147 bronze badges
asked Aug 18 '14 at 22:47
G3zVMG3zVM
63 bronze badges
Owing to a corporate strategy I am moving human user authentication from an implementation of LDAP locally to a centralized Active Directory domain. The problem is that we have a tightly constrained sudoers setup within LDAP. Our Windows admins are unable to mirror this setup without considerable work and possibly not even completely if the time is devoted. An idea that was posed was this:
Authenticate to Active Directory but maintain sudoers management within our existing LDAP infrastructure.
The question then is it possible to either authenticate using an alternate method/server for AD so I can have LDAP for sudoers and something alternative for passwd in /etc/nsswitch.conf?
Due to scale, maintaining local /etc/sudoers files for each guest would be administratively prohibitive and a step back in terms of architecture and scalability.
authentication ldap sles
authentication ldap sles
edited Aug 18 '14 at 22:56
Braiam
24.8k20 gold badges82 silver badges147 bronze badges
asked Aug 18 '14 at 22:47
G3zVMG3zVM
63 bronze badges
edited Aug 18 '14 at 22:56
Braiam
24.8k20 gold badges82 silver badges147 bronze badges
asked Aug 18 '14 at 22:47
G3zVMG3zVM
63 bronze badges
edited Aug 18 '14 at 22:56
Braiam
24.8k20 gold badges82 silver badges147 bronze badges
edited Aug 18 '14 at 22:56
Braiam
24.8k20 gold badges82 silver badges147 bronze badges
edited Aug 18 '14 at 22:56
Braiam
24.8k20 gold badges82 silver badges147 bronze badges
24.8k20 gold badges82 silver badges147 bronze badges
asked Aug 18 '14 at 22:47
G3zVMG3zVM
63 bronze badges
asked Aug 18 '14 at 22:47
G3zVMG3zVM
63 bronze badges
asked Aug 18 '14 at 22:47
G3zVMG3zVM
63 bronze badges
63 bronze badges
bumped to the homepage by Community♦ 40 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 40 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 40 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
2
I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.
– Patrick
Aug 19 '14 at 4:41
add a comment |
2
I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.
– Patrick
Aug 19 '14 at 4:41
2
2
I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.
– Patrick
Aug 19 '14 at 4:41
I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.
– Patrick
Aug 19 '14 at 4:41
add a comment |
1 Answer
1
active
oldest
votes
I can recommend a solution by using Univention Corporate Server (UCS). It is a Debian-based Linux enterprise distribution that integrates an Actice Directory compatible domain using Samba 4. So this could become the centralized Active Directory you are speaking of.
As to the LDAP issue, UCS also includes OpenLDAP. This means, you can integrate your existing Linux/Unix systems using the OpenLDAP of UCS and your windows clients/servers using the Samba 4 Active Directory.
Concerning the sudoers, there's a cool solution for sudo available that makes sudo configurable via the web-based Univention Management Console:
http://wiki.univention.de/index.php?title=Cool_Solution_-_Setup_sudo_with_ldap_on_multiserver_environments
Or as another alternative, if you want to keep your existing Microsoft AD as the main directory, you can achieve automatic synchronization of users, groups and optionally password-hashes between this and the OpenLDAP directory of UCS via the in UCS integrated tool Active Directory Connection. This tool is available via the Univention App Center, which is also part of UCS by default.
Further information on UCS can be found within the a.m. wiki and at:
https://www.univention.com/products/ucs/
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
211 bronze badge
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f150872%2fauthenticating-to-multiple-ldap-servers%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I can recommend a solution by using Univention Corporate Server (UCS). It is a Debian-based Linux enterprise distribution that integrates an Actice Directory compatible domain using Samba 4. So this could become the centralized Active Directory you are speaking of.
As to the LDAP issue, UCS also includes OpenLDAP. This means, you can integrate your existing Linux/Unix systems using the OpenLDAP of UCS and your windows clients/servers using the Samba 4 Active Directory.
Concerning the sudoers, there's a cool solution for sudo available that makes sudo configurable via the web-based Univention Management Console:
http://wiki.univention.de/index.php?title=Cool_Solution_-_Setup_sudo_with_ldap_on_multiserver_environments
Or as another alternative, if you want to keep your existing Microsoft AD as the main directory, you can achieve automatic synchronization of users, groups and optionally password-hashes between this and the OpenLDAP directory of UCS via the in UCS integrated tool Active Directory Connection. This tool is available via the Univention App Center, which is also part of UCS by default.
Further information on UCS can be found within the a.m. wiki and at:
https://www.univention.com/products/ucs/
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
211 bronze badge
add a comment |
I can recommend a solution by using Univention Corporate Server (UCS). It is a Debian-based Linux enterprise distribution that integrates an Actice Directory compatible domain using Samba 4. So this could become the centralized Active Directory you are speaking of.
As to the LDAP issue, UCS also includes OpenLDAP. This means, you can integrate your existing Linux/Unix systems using the OpenLDAP of UCS and your windows clients/servers using the Samba 4 Active Directory.
Concerning the sudoers, there's a cool solution for sudo available that makes sudo configurable via the web-based Univention Management Console:
http://wiki.univention.de/index.php?title=Cool_Solution_-_Setup_sudo_with_ldap_on_multiserver_environments
Or as another alternative, if you want to keep your existing Microsoft AD as the main directory, you can achieve automatic synchronization of users, groups and optionally password-hashes between this and the OpenLDAP directory of UCS via the in UCS integrated tool Active Directory Connection. This tool is available via the Univention App Center, which is also part of UCS by default.
Further information on UCS can be found within the a.m. wiki and at:
https://www.univention.com/products/ucs/
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
211 bronze badge
add a comment |
I can recommend a solution by using Univention Corporate Server (UCS). It is a Debian-based Linux enterprise distribution that integrates an Actice Directory compatible domain using Samba 4. So this could become the centralized Active Directory you are speaking of.
As to the LDAP issue, UCS also includes OpenLDAP. This means, you can integrate your existing Linux/Unix systems using the OpenLDAP of UCS and your windows clients/servers using the Samba 4 Active Directory.
Concerning the sudoers, there's a cool solution for sudo available that makes sudo configurable via the web-based Univention Management Console:
http://wiki.univention.de/index.php?title=Cool_Solution_-_Setup_sudo_with_ldap_on_multiserver_environments
Or as another alternative, if you want to keep your existing Microsoft AD as the main directory, you can achieve automatic synchronization of users, groups and optionally password-hashes between this and the OpenLDAP directory of UCS via the in UCS integrated tool Active Directory Connection. This tool is available via the Univention App Center, which is also part of UCS by default.
Further information on UCS can be found within the a.m. wiki and at:
https://www.univention.com/products/ucs/
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
211 bronze badge
I can recommend a solution by using Univention Corporate Server (UCS). It is a Debian-based Linux enterprise distribution that integrates an Actice Directory compatible domain using Samba 4. So this could become the centralized Active Directory you are speaking of.
As to the LDAP issue, UCS also includes OpenLDAP. This means, you can integrate your existing Linux/Unix systems using the OpenLDAP of UCS and your windows clients/servers using the Samba 4 Active Directory.
Concerning the sudoers, there's a cool solution for sudo available that makes sudo configurable via the web-based Univention Management Console:
http://wiki.univention.de/index.php?title=Cool_Solution_-_Setup_sudo_with_ldap_on_multiserver_environments
Or as another alternative, if you want to keep your existing Microsoft AD as the main directory, you can achieve automatic synchronization of users, groups and optionally password-hashes between this and the OpenLDAP directory of UCS via the in UCS integrated tool Active Directory Connection. This tool is available via the Univention App Center, which is also part of UCS by default.
Further information on UCS can be found within the a.m. wiki and at:
https://www.univention.com/products/ucs/
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
211 bronze badge
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
211 bronze badge
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
211 bronze badge
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
211 bronze badge
211 bronze badge
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f150872%2fauthenticating-to-multiple-ldap-servers%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.
– Patrick
Aug 19 '14 at 4:41