Steve Shockley wrote:
I'm researching setting up a wireless gateway using OpenBSD and authpf.
We've got an existing Active Directory (2003) domain with about 5000
user accounts that I'd like to authenticate against.
LDAP seemed like the obvious choice, but it appears I need to create
local accounts to use login_ldap, and it'd be unwieldy to sync 5000
users. There's also a patch for nsswitch, but I'd rather not use a
custom build if I don't have to.
Kerberos also sounded like a good idea, but if I understand correctly,
the clients would need a Kerberized ssh client, and they'd have to be
able to access the KDC before logging in to the gateway.
Is there a better way to do this?
How about using login_radius feature by modifying login.conf to add a
new radius profile and authenticate against a RADIUS server. You can
compile freeradius and have rad_ldap plugin on the RADIUS server to
authenticate against AD.
Direct LDAP would have been my first choice but for time constraints.
Prabhu
--
