Re: Linux AD Integration with consistent UID and GID
Nico Kadel-Garcia <nkadel@gmail.com> writes:
> There are numerous published guidelines for using Winbind and LDAP
> authentication. Most of the LDAP guidelines just wave their hands at the
> authentication part. If I see *one more* stupid guideline that uses LDAP
> to store the passwords and ignores the last 30 years of password
> management by storing them in plain text in a universally available
> schema, I'm going to be very unhappy.
For authentication you almost certainly want to use just a normal, vanilla
Kerberos PAM module. Active Directory is a perfectly functional Kerberos
KDC that you can authenticate to just like you would with any other
Kerberos KDC. The only real question is how you get NSS data onto the
system (UIDs and GIDs), which is where nss-pam-ldapd comes in.
Yes, it has a PAM component, which is sometimes still useful in
combination with a Kerberos PAM module to do LDAP-based access control,
but you don't care about its authentication component with AD. There's
really no reason to ever use password binds to LDAP for authentication
when something much better, like Kerberos, is available.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: