Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] AD/LDAP authentication



On 12/13/2017 03:20 PM, Richard Pieri wrote:
> On a completely different topic from document conversion...
> 
> My employer has two Active Directory domains. I need to set up some
> Linux servers (RHEL, SUSE and Ubuntu) to use both domains for user
> authentication. Users get accounts on one or the other, never both. This
> is a mandate from Legal so the easy answer is off the table.

Is there some reason that you can't have a trust between the 2 domains? 
This is normally how one would implement what you're describing. Even a 
one-way trust should work, assuming you don't need group membership 
information.

> SSSD and Winbind work for binding to one domain or the other but I can't
> bind to both at the same time (Red Hat promised this in RHEL 7 but have
> yet to deliver). So I figure I can use AD for one domain and LDAP bind
> authentication for the other, or LDAP binds to each domain, but I can't
> either working.

If there were a trust you could authenticate to the domain with users 
from the trusted domain. A trust is basically that, the domain that 
you're joined to will trust credentials from the trusted domain.

> Yes, I'm doing something wrong. No, I don't know what. And, my Google-Fu
> is only finding single AD or LDAP auth server configurations. Has anyone
> here done anything like this before? Have any references you can point
> me at?

To be fair, you haven't said exactly what you're trying to do. Is this 
for a web application, a system service (SMB, FTP, etc.), or simply 
SSH/SFTP/Desktop access? There are other options in certain cases that 
don't require you to join the individual machines to the domain (SAML, 
third-party tools), so specifics would be helpful. Also you don't 
mention if you have a budget for this, as it's possible you can do this 
with commercial integrations that would have support beyond just a bunch 
of folks on blu (although I'm sure we offer better support than some :-).

Grant M.
-- 

Grant Mongardi
*Senior Systems Engineer*
*NAPC inc*
p: 781-894-3114
a: 307 Waverley Oaks Rd. Waltham, Ma 02452
w: www.napc.com  e: gmongardi at napc.com
<https://facebook.com/napcgroup>   <https://twitter.com/NAPCgroup>
<https://www.linkedin.com/company/205941/>



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org