BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] AD/LDAP authentication

Subject: [Discuss] AD/LDAP authentication
From: gmongardi at napc.com (Grant NAPC)
Date: Thu, 14 Dec 2017 07:46:46 -0500
In-reply-to: <9f056614-28a4-c612-8657-e4b83a6b44ec@gmail.com>
References: <9f056614-28a4-c612-8657-e4b83a6b44ec@gmail.com>

On 12/13/2017 03:20 PM, Richard Pieri wrote:
> On a completely different topic from document conversion...
> 
> My employer has two Active Directory domains. I need to set up some
> Linux servers (RHEL, SUSE and Ubuntu) to use both domains for user
> authentication. Users get accounts on one or the other, never both. This
> is a mandate from Legal so the easy answer is off the table.

Is there some reason that you can't have a trust between the 2 domains? 
This is normally how one would implement what you're describing. Even a 
one-way trust should work, assuming you don't need group membership 
information.

> SSSD and Winbind work for binding to one domain or the other but I can't
> bind to both at the same time (Red Hat promised this in RHEL 7 but have
> yet to deliver). So I figure I can use AD for one domain and LDAP bind
> authentication for the other, or LDAP binds to each domain, but I can't
> either working.

If there were a trust you could authenticate to the domain with users 
from the trusted domain. A trust is basically that, the domain that 
you're joined to will trust credentials from the trusted domain.

> Yes, I'm doing something wrong. No, I don't know what. And, my Google-Fu
> is only finding single AD or LDAP auth server configurations. Has anyone
> here done anything like this before? Have any references you can point
> me at?

To be fair, you haven't said exactly what you're trying to do. Is this 
for a web application, a system service (SMB, FTP, etc.), or simply 
SSH/SFTP/Desktop access? There are other options in certain cases that 
don't require you to join the individual machines to the domain (SAML, 
third-party tools), so specifics would be helpful. Also you don't 
mention if you have a budget for this, as it's possible you can do this 
with commercial integrations that would have support beyond just a bunch 
of folks on blu (although I'm sure we offer better support than some :-).

Grant M.
-- 

Grant Mongardi
*Senior Systems Engineer*
*NAPC inc*
p: 781-894-3114
a: 307 Waverley Oaks Rd. Waltham, Ma 02452
w: www.napc.com  e: gmongardi at napc.com
<https://facebook.com/napcgroup>   <https://twitter.com/NAPCgroup>
<https://www.linkedin.com/company/205941/>

Follow-Ups:
- [Discuss] AD/LDAP authentication
  - From: richard.pieri at gmail.com (Richard Pieri)

References:
- [Discuss] AD/LDAP authentication
  - From: richard.pieri at gmail.com (Richard Pieri)

Prev by Date: [Discuss] printer issues
Next by Date: [Discuss] AD/LDAP authentication
Previous by thread: [Discuss] AD/LDAP authentication
Next by thread: [Discuss] AD/LDAP authentication
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.