Authenticating To Multiple LDAP Servers
Clash Royale CLAN TAG#URR8PPP
Owing to a corporate strategy I am moving human user authentication from an implementation of LDAP locally to a centralized Active Directory domain. The problem is that we have a tightly constrained sudoers setup within LDAP. Our Windows admins are unable to mirror this setup without considerable work and possibly not even completely if the time is devoted. An idea that was posed was this:
Authenticate to Active Directory but maintain sudoers management within our existing LDAP infrastructure.
The question then is it possible to either authenticate using an alternate method/server for AD so I can have LDAP for sudoers and something alternative for passwd in /etc/nsswitch.conf?
Due to scale, maintaining local /etc/sudoers files for each guest would be administratively prohibitive and a step back in terms of architecture and scalability.
authentication ldap sles
edited Aug 18 '14 at 22:56
Braiam
23.3k1976139
asked Aug 18 '14 at 22:47
G3zVMG3zVM
12
add a comment |
Owing to a corporate strategy I am moving human user authentication from an implementation of LDAP locally to a centralized Active Directory domain. The problem is that we have a tightly constrained sudoers setup within LDAP. Our Windows admins are unable to mirror this setup without considerable work and possibly not even completely if the time is devoted. An idea that was posed was this:
Authenticate to Active Directory but maintain sudoers management within our existing LDAP infrastructure.
The question then is it possible to either authenticate using an alternate method/server for AD so I can have LDAP for sudoers and something alternative for passwd in /etc/nsswitch.conf?
Due to scale, maintaining local /etc/sudoers files for each guest would be administratively prohibitive and a step back in terms of architecture and scalability.
authentication ldap sles
edited Aug 18 '14 at 22:56
Braiam
23.3k1976139
asked Aug 18 '14 at 22:47
G3zVMG3zVM
12
1
I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.
– Patrick
Aug 19 '14 at 4:41
add a comment |
Owing to a corporate strategy I am moving human user authentication from an implementation of LDAP locally to a centralized Active Directory domain. The problem is that we have a tightly constrained sudoers setup within LDAP. Our Windows admins are unable to mirror this setup without considerable work and possibly not even completely if the time is devoted. An idea that was posed was this:
Authenticate to Active Directory but maintain sudoers management within our existing LDAP infrastructure.
The question then is it possible to either authenticate using an alternate method/server for AD so I can have LDAP for sudoers and something alternative for passwd in /etc/nsswitch.conf?
Due to scale, maintaining local /etc/sudoers files for each guest would be administratively prohibitive and a step back in terms of architecture and scalability.
authentication ldap sles
edited Aug 18 '14 at 22:56
Braiam
23.3k1976139
asked Aug 18 '14 at 22:47
G3zVMG3zVM
12
Owing to a corporate strategy I am moving human user authentication from an implementation of LDAP locally to a centralized Active Directory domain. The problem is that we have a tightly constrained sudoers setup within LDAP. Our Windows admins are unable to mirror this setup without considerable work and possibly not even completely if the time is devoted. An idea that was posed was this:
Authenticate to Active Directory but maintain sudoers management within our existing LDAP infrastructure.
The question then is it possible to either authenticate using an alternate method/server for AD so I can have LDAP for sudoers and something alternative for passwd in /etc/nsswitch.conf?
Due to scale, maintaining local /etc/sudoers files for each guest would be administratively prohibitive and a step back in terms of architecture and scalability.
authentication ldap sles
authentication ldap sles
edited Aug 18 '14 at 22:56
Braiam
23.3k1976139
asked Aug 18 '14 at 22:47
G3zVMG3zVM
12
edited Aug 18 '14 at 22:56
Braiam
23.3k1976139
asked Aug 18 '14 at 22:47
G3zVMG3zVM
12
edited Aug 18 '14 at 22:56
Braiam
23.3k1976139
edited Aug 18 '14 at 22:56
Braiam
23.3k1976139
edited Aug 18 '14 at 22:56
Braiam
23.3k1976139
23.3k1976139
asked Aug 18 '14 at 22:47
G3zVMG3zVM
12
asked Aug 18 '14 at 22:47
G3zVMG3zVM
12
asked Aug 18 '14 at 22:47
G3zVMG3zVM
12
12
1
I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.
– Patrick
Aug 19 '14 at 4:41
add a comment |
1
I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.
– Patrick
Aug 19 '14 at 4:41
1
1
I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.
– Patrick
Aug 19 '14 at 4:41
I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.
– Patrick
Aug 19 '14 at 4:41
add a comment |
1 Answer
1
active
oldest
votes
I can recommend a solution by using Univention Corporate Server (UCS). It is a Debian-based Linux enterprise distribution that integrates an Actice Directory compatible domain using Samba 4. So this could become the centralized Active Directory you are speaking of.
As to the LDAP issue, UCS also includes OpenLDAP. This means, you can integrate your existing Linux/Unix systems using the OpenLDAP of UCS and your windows clients/servers using the Samba 4 Active Directory.
Concerning the sudoers, there's a cool solution for sudo available that makes sudo configurable via the web-based Univention Management Console:
http://wiki.univention.de/index.php?title=Cool_Solution_-_Setup_sudo_with_ldap_on_multiserver_environments
Or as another alternative, if you want to keep your existing Microsoft AD as the main directory, you can achieve automatic synchronization of users, groups and optionally password-hashes between this and the OpenLDAP directory of UCS via the in UCS integrated tool Active Directory Connection. This tool is available via the Univention App Center, which is also part of UCS by default.
Further information on UCS can be found within the a.m. wiki and at:
https://www.univention.com/products/ucs/
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
1
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f150872%2fauthenticating-to-multiple-ldap-servers%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I can recommend a solution by using Univention Corporate Server (UCS). It is a Debian-based Linux enterprise distribution that integrates an Actice Directory compatible domain using Samba 4. So this could become the centralized Active Directory you are speaking of.
As to the LDAP issue, UCS also includes OpenLDAP. This means, you can integrate your existing Linux/Unix systems using the OpenLDAP of UCS and your windows clients/servers using the Samba 4 Active Directory.
Concerning the sudoers, there's a cool solution for sudo available that makes sudo configurable via the web-based Univention Management Console:
http://wiki.univention.de/index.php?title=Cool_Solution_-_Setup_sudo_with_ldap_on_multiserver_environments
Or as another alternative, if you want to keep your existing Microsoft AD as the main directory, you can achieve automatic synchronization of users, groups and optionally password-hashes between this and the OpenLDAP directory of UCS via the in UCS integrated tool Active Directory Connection. This tool is available via the Univention App Center, which is also part of UCS by default.
Further information on UCS can be found within the a.m. wiki and at:
https://www.univention.com/products/ucs/
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
1
add a comment |
I can recommend a solution by using Univention Corporate Server (UCS). It is a Debian-based Linux enterprise distribution that integrates an Actice Directory compatible domain using Samba 4. So this could become the centralized Active Directory you are speaking of.
As to the LDAP issue, UCS also includes OpenLDAP. This means, you can integrate your existing Linux/Unix systems using the OpenLDAP of UCS and your windows clients/servers using the Samba 4 Active Directory.
Concerning the sudoers, there's a cool solution for sudo available that makes sudo configurable via the web-based Univention Management Console:
http://wiki.univention.de/index.php?title=Cool_Solution_-_Setup_sudo_with_ldap_on_multiserver_environments
Or as another alternative, if you want to keep your existing Microsoft AD as the main directory, you can achieve automatic synchronization of users, groups and optionally password-hashes between this and the OpenLDAP directory of UCS via the in UCS integrated tool Active Directory Connection. This tool is available via the Univention App Center, which is also part of UCS by default.
Further information on UCS can be found within the a.m. wiki and at:
https://www.univention.com/products/ucs/
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
1
add a comment |
I can recommend a solution by using Univention Corporate Server (UCS). It is a Debian-based Linux enterprise distribution that integrates an Actice Directory compatible domain using Samba 4. So this could become the centralized Active Directory you are speaking of.
As to the LDAP issue, UCS also includes OpenLDAP. This means, you can integrate your existing Linux/Unix systems using the OpenLDAP of UCS and your windows clients/servers using the Samba 4 Active Directory.
Concerning the sudoers, there's a cool solution for sudo available that makes sudo configurable via the web-based Univention Management Console:
http://wiki.univention.de/index.php?title=Cool_Solution_-_Setup_sudo_with_ldap_on_multiserver_environments
Or as another alternative, if you want to keep your existing Microsoft AD as the main directory, you can achieve automatic synchronization of users, groups and optionally password-hashes between this and the OpenLDAP directory of UCS via the in UCS integrated tool Active Directory Connection. This tool is available via the Univention App Center, which is also part of UCS by default.
Further information on UCS can be found within the a.m. wiki and at:
https://www.univention.com/products/ucs/
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
1
I can recommend a solution by using Univention Corporate Server (UCS). It is a Debian-based Linux enterprise distribution that integrates an Actice Directory compatible domain using Samba 4. So this could become the centralized Active Directory you are speaking of.
As to the LDAP issue, UCS also includes OpenLDAP. This means, you can integrate your existing Linux/Unix systems using the OpenLDAP of UCS and your windows clients/servers using the Samba 4 Active Directory.
Concerning the sudoers, there's a cool solution for sudo available that makes sudo configurable via the web-based Univention Management Console:
http://wiki.univention.de/index.php?title=Cool_Solution_-_Setup_sudo_with_ldap_on_multiserver_environments
Or as another alternative, if you want to keep your existing Microsoft AD as the main directory, you can achieve automatic synchronization of users, groups and optionally password-hashes between this and the OpenLDAP directory of UCS via the in UCS integrated tool Active Directory Connection. This tool is available via the Univention App Center, which is also part of UCS by default.
Further information on UCS can be found within the a.m. wiki and at:
https://www.univention.com/products/ucs/
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
1
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
1
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
1
answered Nov 26 '14 at 12:49
Maren AbatielosMaren Abatielos
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f150872%2fauthenticating-to-multiple-ldap-servers%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.
– Patrick
Aug 19 '14 at 4:41