04-20-2017
Looking for suggestion on authentication method for UNIX/Windows
Hello,
We have mid level infrastructure of all on-premises servers. All windows servers are getting authenticated by Microsoft Active Directory Services, half Unix (Solaris+Linux) servers are getting authentication by NIS and other half by LDAP.
We have plans to migrate from NIS to LDAP, so going forward it will all LDAP and Microsoft AD.
Recently we started looking into hosting our few servers on AWS and that made us looking into different prospective.
We are not going to build new/another AD on AWS, but we will use our on-primises directory services for authentication.
Will it be a good approch to integrate LDAP with AD, so that single sign-on can be achieved ?
Or most people will prefer to keep UNIX authentication by LDAP and Windows authentication by Microsoft AD ?
Should I consider any pros or cons with either of these solutions ?
As of now, we are planning to put dashboard application on AWS with two tomcat (web servers) servers, two DB servers. But going forward, this environment will grow with further migrations.
I understand that it is not break-fix question and it is more of consulting question. People who have knowlegde of similar kind of setup, can give me some idea.
I want suggestions from you guys, what can be best possible ways to achieve our goal. I can research in details, but I am looking for high level plan.
If this is not related to correct forum, please move it to appropriate place.
Regards
5 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Can anyone tell me a good alternative to Windows? OS that can connect to a Windows domain and use for everyday (can use with Oracle). Easy to learn. (4 Replies)
Discussion started by: genesisX
4 Replies
2. Windows & DOS: Issues & Discussions
I am not an expert in Unix at all. My knowledge of Unix is average. We have a couple of Unix servers, Solaris and Linux, which run mostly web servers, and Oracle databases. Currently users have multiple user IDs for Unix and AD applications. Is it possible to make use of the Windows Active... (2 Replies)
Discussion started by: speriya
2 Replies
3. AIX
In /etc/security/user, we can set which authentication method we use for each user. for example:
test:
admin = false
rlogin = false
SYSTEM = "NONE"
I want to test whether SYSTEM=NONE (without ") is acceptable. How can I verify it? and How can we check which... (1 Reply)
Discussion started by: quanba
1 Replies
4. Solaris
Experts,
Is there any way to know which authentication method the user used to login into the box? I mean, is possible to identify if an active user had logged using keys or password for example?
Let me clarify: we have a script that we want to allow users to execute only if they have used... (2 Replies)
Discussion started by: fmattos
2 Replies
5. IP Networking
Hi experts,
I am not sure in which forum to submit this question. If this is not the correct place then please let me know where to submit this thread.
My requirement is to invoke windows batch scripts from linux shell script. Hence, I have installed openssh in Cygwin on the windows machine.... (2 Replies)
Discussion started by: ahmedwaseem2000
2 Replies
LEARN ABOUT OPENSOLARIS
ad
ad(5) Standards, Environments, and Macros ad(5)
NAME
ad - Active Directory as a naming repository
DESCRIPTION
Solaris clients can obtain naming information from Active Directory (AD) servers.
The Solaris system must first join an AD domain and then add the ad keyword to the appropriate entries in the nsswitch.conf(4) file. The
Solaris system joins the AD domain by using the kclient(1M) utility. The AD name service only supports the naming databases for passwd and
group.
Windows users are not able to log in. The user_attr(4) database has no entries for Windows users, and the passwd(1) command does not sup-
port the synchronization of user passwords with AD.
The Solaris AD client uses auto-discovery techniques to find AD directory servers, such as domain controllers and global catalog servers.
The client also uses the LDAP v3 protocol to access naming information from AD servers. The AD server schema requires no modification
because the AD client works with native AD schema. The Solaris AD client uses the idmap(1M) service to map between Windows security identi-
fiers (SIDs) and Solaris user identifiers (UIDs) and group identifiers (GIDs). User names and group names are taken from the sAMAccountName
attribute of the AD user and group objects and then tagged with the domain where the objects reside. The domain name is separated from the
user name or group name by the @ character.
The client uses the SASL/GSSAPI/KRB5 security model. The kclient utility is used to join the client to AD. During the join operation,
kclient configures Kerberos v5 on the client. See kclient(1M).
FILES
/etc/nsswitch.conf Configuration file for the name-service switch.
/etc/nsswitch.ad Sample configuration file for the name-service switch configured with ad, dns and files.
/usr/lib/nss_ad.so.1 Name service switch module for AD.
SEE ALSO
passwd(1), svcs(1), idmap(1M), idmapd(1M), kclient(1M), svcadm(1M), svccfg(1M), svccfg(1M), nsswitch.conf(4), user_attr(4), smf(5)
SunOS 5.11 22 Oct 2008 ad(5)