Prabhu Gurumurthy wrote: > Steve Shockley wrote: > > I'm researching setting up a wireless gateway using OpenBSD and > > authpf. We've got an existing Active Directory (2003) domain with > > about 5000 user accounts that I'd like to authenticate against. > > > > LDAP seemed like the obvious choice, but it appears I need to create > > local accounts to use login_ldap, and it'd be unwieldy to sync 5000 > > users. There's also a patch for nsswitch, but I'd rather not use a > > custom build if I don't have to. > > > > Kerberos also sounded like a good idea, but if I understand > > correctly, the clients would need a Kerberized ssh client, and > > they'd have to be able to access the KDC before logging in to the > > gateway. > > > > Is there a better way to do this? > > How about using login_radius feature by modifying login.conf to add a > new radius profile and authenticate against a RADIUS server. You can > compile freeradius and have rad_ldap plugin on the RADIUS server to > authenticate against AD. > > Direct LDAP would have been my first choice but for time constraints.
FWIW, RADIUS is built into Windows via IAS and is integrated with AD.
