Looking for suggestion on authentication method for UNIX/Windows
We have mid level infrastructure of all on-premises servers. All windows servers are getting authenticated by Microsoft Active Directory Services, half Unix (Solaris+Linux) servers are getting authentication by NIS and other half by LDAP.
We have plans to migrate from NIS to LDAP, so going forward it will all LDAP and Microsoft AD.
Recently we started looking into hosting our few servers on AWS and that made us looking into different prospective.
We are not going to build new/another AD on AWS, but we will use our on-primises directory services for authentication.
Will it be a good approch to integrate LDAP with AD, so that single sign-on can be achieved ?
Or most people will prefer to keep UNIX authentication by LDAP and Windows authentication by Microsoft AD ?
Should I consider any pros or cons with either of these solutions ?
As of now, we are planning to put dashboard application on AWS with two tomcat (web servers) servers, two DB servers. But going forward, this environment will grow with further migrations.
I understand that it is not break-fix question and it is more of consulting question. People who have knowlegde of similar kind of setup, can give me some idea.
I want suggestions from you guys, what can be best possible ways to achieve our goal. I can research in details, but I am looking for high level plan.
If this is not related to correct forum, please move it to appropriate place.
AD is essentially LDAP + Kerberos, so in itself there is nothing wrong with using AD, but it uses a proprietary schema. In order for it to be truly useful for unix/linux hosts, if you need anything more than just authentication, it would be best to import the rfc2307/rfc2307bis schema into AD. So AD can be used as LDAP for Unix/Linux hosts.
An alternative is to have two directories (AD and a separate LDAP) with some kind of sync mechanism...
Then there is the client side. With Single Signon, do you mean that you need to authenticate once and then use a ticket further on. Then you need to use (AD) Kerberos / gssapi. Some linux clients in addition can also do SSO without gssapi through sssd (also against AD), but Solaris cannot. If you mean with SSO that the password is the same for all platforms, then an alternative would be to use TLS/LDAP on Unix/Linux clients.
It all really depends on your situation..
Last edited by Scrutinizer; 04-21-2017 at 04:58 AM..
This User Gave Thanks to Scrutinizer For This Post:
I am not sure in which forum to submit this question. If this is not the correct place then please let me know where to submit this thread.
My requirement is to invoke windows batch scripts from linux shell script. Hence, I have installed openssh in Cygwin on the windows machine.... (2 Replies)
Is there any way to know which authentication method the user used to login into the box? I mean, is possible to identify if an active user had logged using keys or password for example?
Let me clarify: we have a script that we want to allow users to execute only if they have used... (2 Replies)
In /etc/security/user, we can set which authentication method we use for each user. for example:
admin = false
rlogin = false
SYSTEM = "NONE"
I want to test whether SYSTEM=NONE (without ") is acceptable. How can I verify it? and How can we check which... (1 Reply)
I am not an expert in Unix at all. My knowledge of Unix is average. We have a couple of Unix servers, Solaris and Linux, which run mostly web servers, and Oracle databases. Currently users have multiple user IDs for Unix and AD applications. Is it possible to make use of the Windows Active... (2 Replies)