[rhn-users] Linux and Active Directory Microsoft.

Jon Etkins Jetkins at austinlogistics.com
Wed Dec 14 17:15:24 UTC 2005 

Use Kerberos instead of LDAP for authentication.  Works like a charm here,
allowing folks to log in to our RedHat boxes with their AD credentials, and
it doesn't need SFU or any shared keys stored on the clients.  (Note, we
don't use AD for authorization, just authentication - if you need both,
you'll still need to use LDAP for authorization.  There's a HOWTO at
http://www.ofb.net/~jheiss/krbldap/howto.html)

Jon Etkins
IT Administration & Support
Austin Logistics, Inc
ph:  (512) 651-5641
fax: (512) 329-5625



rhn-users-bounces at redhat.com wrote on 12/14/2005 10:26:56 AM:

>    Hi all, I am trying to activate linux user
> authentication with Microsoft Active Directory. This
> is because we have a big domain (10 Domain Servers)
> and we would like to realize a single sign on
> architecture (30 Linux RedHat AS 3.0 servers).
>    I downloaded and read tons of documentation: I
> created a Windows 2003 Domain Controller, Installed
> Microsoft Services for Unix (SFU), configured users
> and ldap.conf. At moment I can authenticate users on
> linux using the same password (Microsoft
> domain/Linux).
>    To do that in ldap.conf I must insert in clear text
> the bind user and his password. This is not good for
> security even if I gave a low profile (can only list
> users contanined in ldap server AD).
>    The problem is that I cannot hide ldap.conf to
> linux users (r--,r--,r--) and by listing the attribute
> password hash msSFU30Password I think that everyone
> could crack password using Jack The Ripper for
> example.
>    So, is there anyone who realized this architecture
> and who could help me ?
>
>    I would be very grateful.
>
>    Thanks.


----------------------------------------------------------------------
CONFIDENTIALITY NOTICE
The information contained in and transmitted with this email, including any
attachments, is confidential and/or proprietary information of Austin
Logistics Incorporated, and is intended only for a specific addressee or
addressees.  If there is an agreement concerning the treatment of
confidential or proprietary information in force between Austin Logistics
Incorporated and the recipient, this message and any attachments shall be
treated as confidential in accordance with the terms of such agreement.
Any dissemination, distribution, copying, or use of the information
contained in and transmitted with this email by or to anyone other than the
intended recipient or such recipient's authorized agent is unauthorized and
strictly prohibited.  If you have received this email in error, please
notify the sender by email immediately and then delete it along with any
attachments.  Thank you.

More information about the rhn-users mailing list