one thing you can do is just use pam_krb5 to do kerberos auth against AD (probably cross-realm with unix host principals in an MIT server and user princs in AD).
that will handle authentication and give you something like single-signon and leverage AD for password rotation, etc. then you can manage /etc/passwd via any number of possible options including chef/puppet/cfengine for unix NSS information and authorization -- or continue to use LDAP. On Tue, 15 Feb 2011, Matt Lawrence wrote: > On Tue, 15 Feb 2011, Ari Constancio wrote: > >> We're about to introduce Active Directory in an environment based on >> LDAP (OpenLDAP) for accounts. Password synchronization should be >> bidirectional if possible. >> I'd like to hear any advice on how folks are integrating AD and LDAP servers. > > We are using Likewise for that functionality. It works fairly well, not > perfect, but a lot easier than managing all the accounts. It also allows > the Unix admins to toss many account issues over the wall to the Windows > group. > > -- Matt > It's not what I know that counts. > It's what I can remember in time to use. > _______________________________________________ > Tech mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
