Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Looking for suggestion on authentication method for UNIX/Windows
Special Forums Cybersecurity Looking for suggestion on authentication method for UNIX/Windows Post 302996175 by solaris_1977 on Thursday 20th of April 2017 09:19:35 PM
Old 04-20-2017
Looking for suggestion on authentication method for UNIX/Windows
Hello,

We have mid level infrastructure of all on-premises servers. All windows servers are getting authenticated by Microsoft Active Directory Services, half Unix (Solaris+Linux) servers are getting authentication by NIS and other half by LDAP.

We have plans to migrate from NIS to LDAP, so going forward it will all LDAP and Microsoft AD.
Recently we started looking into hosting our few servers on AWS and that made us looking into different prospective.

We are not going to build new/another AD on AWS, but we will use our on-primises directory services for authentication.
Will it be a good approch to integrate LDAP with AD, so that single sign-on can be achieved ?
Or most people will prefer to keep UNIX authentication by LDAP and Windows authentication by Microsoft AD ?
Should I consider any pros or cons with either of these solutions ?
As of now, we are planning to put dashboard application on AWS with two tomcat (web servers) servers, two DB servers. But going forward, this environment will grow with further migrations.

I understand that it is not break-fix question and it is more of consulting question. People who have knowlegde of similar kind of setup, can give me some idea.

I want suggestions from you guys, what can be best possible ways to achieve our goal. I can research in details, but I am looking for high level plan.

If this is not related to correct forum, please move it to appropriate place.

Regards
 

5 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Suggestion: Alternative OS for Windows - Totally Clueless on Unix/Linux OS

Can anyone tell me a good alternative to Windows? OS that can connect to a Windows domain and use for everyday (can use with Oracle). Easy to learn. (4 Replies)
Discussion started by: genesisX
4 Replies

2. Windows & DOS: Issues & Discussions

Windows AD for Unix authentication

I am not an expert in Unix at all. My knowledge of Unix is average. We have a couple of Unix servers, Solaris and Linux, which run mostly web servers, and Oracle databases. Currently users have multiple user IDs for Unix and AD applications. Is it possible to make use of the Windows Active... (2 Replies)
Discussion started by: speriya
2 Replies

3. AIX

AIX: How to check which authentication method we are using for a user?

In /etc/security/user, we can set which authentication method we use for each user. for example: test: admin = false rlogin = false SYSTEM = "NONE" I want to test whether SYSTEM=NONE (without ") is acceptable. How can I verify it? and How can we check which... (1 Reply)
Discussion started by: quanba
1 Replies

4. Solaris

Identify which authentication method was used at logon

Experts, Is there any way to know which authentication method the user used to login into the box? I mean, is possible to identify if an active user had logged using keys or password for example? Let me clarify: we have a script that we want to allow users to execute only if they have used... (2 Replies)
Discussion started by: fmattos
2 Replies

5. IP Networking

Cygwin remote ssh with key authentication method

Hi experts, I am not sure in which forum to submit this question. If this is not the correct place then please let me know where to submit this thread. My requirement is to invoke windows batch scripts from linux shell script. Hence, I have installed openssh in Cygwin on the windows machine.... (2 Replies)
Discussion started by: ahmedwaseem2000
2 Replies

LEARN ABOUT CENTOS

idmap_rfc2307

IDMAP_RFC2307(8)					    System Administration tools 					  IDMAP_RFC2307(8)

NAME

       idmap_rfc2307 - Samba's idmap_rfc2307 Backend for Winbind

DESCRIPTION

       The idmap_rfc2307 plugin provides a way for winbind to read id mappings from records in an LDAP server as defined in RFC 2307. The LDAP
       server can be stand-alone or the LDAP server provided by the AD server. An AD server is always required to provide the mapping between name
       and SID, and the LDAP server is queried for the mapping between name and uid/gid. This module implements only the "idmap" API, and is
       READONLY.

       Mappings must be provided in advance by the administrator by creating the user accounts in the Active Directory server and the posixAccount
       and posixGroup objects in the LDAP server. The names in the Active Directory server and in the LDAP server have to be the same.

       This id mapping approach allows the reuse of existing LDAP authentication servers that store records in the RFC 2307 format.

IDMAP OPTIONS

       range = low - high
	   Defines the available matching UID and GID range for which the backend is authoritative. Note that the range acts as a filter. If
	   specified any UID or GID stored in AD that fall outside the range is ignored and the corresponding map is discarded. It is intended as
	   a way to avoid accidental UID/GID overlaps between local and remotely defined IDs.

       ldap_server = <ad | stand-alone >
	   Defines the type of LDAP server to use. This can either be the LDAP server provided by the Active Directory server (ad) or a
	   stand-alone LDAP server.

       bind_path_user
	   Specifies the bind path where user objects can be found in the LDAP server.

       bind_path_group
	   Specifies the bind path where group objects can be found in the LDAP server.

       user_cn = <yes | no>
	   Query cn attribute instead of uid attribute for the user name in LDAP. This option is not required, the default is no.

       cn_realm = <yes | no>
	   Append @realm to cn for groups (and users if user_cn is set) in LDAP. This option is not required, the default is no.

       ldap_domain
	   When using the LDAP server in the Active Directory server, this allows to specify the domain where to access the Active Directory
	   server. This allows using trust relationships while keeping all RFC 2307 records in one place. This parameter is optional, the default
	   is to access the AD server in the current domain to query LDAP records.

       ldap_url
	   When using a stand-alone LDAP server, this parameter specifies the ldap URL for accessing the LDAP server.

       ldap_user_dn
	   Defines the user DN to be used for authentication. The secret for authenticating this user should be stored with net idmap secret (see
	   net(8)). If absent, an anonymous bind will be performed.

       ldap_realm
	   Defines the realm to use in the user and group names. This is only required when using cn_realm together with a stand-alone ldap
	   server.

EXAMPLES

       The following example shows how to retrieve id mappings from a stand-alone LDAP server. This example also shows how to leave a small non
       conflicting range for local id allocation that may be used in internal backends like BUILTIN.

		[global]
		idmap config * : backend = tdb
		idmap config * : range = 1000000-1999999

		idmap config DOMAIN : backend = rfc2307
		idmap config DOMAIN : range = 2000000-2999999
		idmap config DOMAIN : ldap_server = stand-alone
		idmap config DOMAIN : ldap_url = ldap://ldap1.example.com
		idmap config DOMAIN : ldap_user_dn = cn=ldapmanager,dc=example,dc=com
		idmap config DOMAIN : bind_path_user = ou=People,dc=example,dc=com
		idmap config DOMAIN : bind_path_group = ou=Group,dc=example,dc=com

AUTHOR

       The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open
       Source project similar to the way the Linux kernel is developed.

Samba 4.0							    06/17/2014							  IDMAP_RFC2307(8)
All times are GMT -4. The time now is 12:59 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy