[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux AD Integration with consistent UID and GID

Hash: SHA1


I have some chicken scratches on consistent UID/GID mapping with
idmap_hash,  which takes the Windows SID (Security ID) and makes a
Linux readable hash.  This works if your AD people have not/will
not/messed up implementation the schema extensions for UID/GID.

Check it out to see if it works for you:



On 08/29/2012 07:49 PM, Russ Allbery wrote:
> Nico Kadel-Garcia <nkadel@gmail.com> writes:
>> There are numerous published guidelines for using Winbind and
>> LDAP authentication. Most of the LDAP guidelines just wave their
>> hands at the authentication part. If I see *one more* stupid
>> guideline that uses LDAP to store the passwords and ignores the
>> last 30 years of password management by storing them in plain
>> text in a universally available schema, I'm going to be very
>> unhappy.
> For authentication you almost certainly want to use just a normal,
> vanilla Kerberos PAM module.  Active Directory is a perfectly
> functional Kerberos KDC that you can authenticate to just like you
> would with any other Kerberos KDC.  The only real question is how
> you get NSS data onto the system (UIDs and GIDs), which is where
> nss-pam-ldapd comes in.
> Yes, it has a PAM component, which is sometimes still useful in 
> combination with a Kerberos PAM module to do LDAP-based access
> control, but you don't care about its authentication component with
> AD.  There's really no reason to ever use password binds to LDAP
> for authentication when something much better, like Kerberos, is
> available.

- -- 

Robert Freeman-Day

GPG Public Key:
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


Reply to: