[Discuss] AD/LDAP authentication
Grant NAPC
gmongardi at napc.com
Thu Dec 14 07:46:46 EST 2017
On 12/13/2017 03:20 PM, Richard Pieri wrote:
> On a completely different topic from document conversion...
>
> My employer has two Active Directory domains. I need to set up some
> Linux servers (RHEL, SUSE and Ubuntu) to use both domains for user
> authentication. Users get accounts on one or the other, never both. This
> is a mandate from Legal so the easy answer is off the table.
Is there some reason that you can't have a trust between the 2 domains?
This is normally how one would implement what you're describing. Even a
one-way trust should work, assuming you don't need group membership
information.
> SSSD and Winbind work for binding to one domain or the other but I can't
> bind to both at the same time (Red Hat promised this in RHEL 7 but have
> yet to deliver). So I figure I can use AD for one domain and LDAP bind
> authentication for the other, or LDAP binds to each domain, but I can't
> either working.
If there were a trust you could authenticate to the domain with users
from the trusted domain. A trust is basically that, the domain that
you're joined to will trust credentials from the trusted domain.
> Yes, I'm doing something wrong. No, I don't know what. And, my Google-Fu
> is only finding single AD or LDAP auth server configurations. Has anyone
> here done anything like this before? Have any references you can point
> me at?
To be fair, you haven't said exactly what you're trying to do. Is this
for a web application, a system service (SMB, FTP, etc.), or simply
SSH/SFTP/Desktop access? There are other options in certain cases that
don't require you to join the individual machines to the domain (SAML,
third-party tools), so specifics would be helpful. Also you don't
mention if you have a budget for this, as it's possible you can do this
with commercial integrations that would have support beyond just a bunch
of folks on blu (although I'm sure we offer better support than some :-).
Grant M.
--
Grant Mongardi
*Senior Systems Engineer*
*NAPC inc*
p: 781-894-3114
a: 307 Waverley Oaks Rd. Waltham, Ma 02452
w: www.napc.com e: gmongardi at napc.com
<https://facebook.com/napcgroup> <https://twitter.com/NAPCgroup>
<https://www.linkedin.com/company/205941/>
More information about the Discuss
mailing list