Authenticating To Multiple LDAP Servers












0















Owing to a corporate strategy I am moving human user authentication from an implementation of LDAP locally to a centralized Active Directory domain. The problem is that we have a tightly constrained sudoers setup within LDAP. Our Windows admins are unable to mirror this setup without considerable work and possibly not even completely if the time is devoted. An idea that was posed was this:



Authenticate to Active Directory but maintain sudoers management within our existing LDAP infrastructure.



The question then is it possible to either authenticate using an alternate method/server for AD so I can have LDAP for sudoers and something alternative for passwd in /etc/nsswitch.conf?



Due to scale, maintaining local /etc/sudoers files for each guest would be administratively prohibitive and a step back in terms of architecture and scalability.






authentication ldap sles







share|improve this question




















  • 1





    I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.

    – Patrick
    Aug 19 '14 at 4:41
















0















Owing to a corporate strategy I am moving human user authentication from an implementation of LDAP locally to a centralized Active Directory domain. The problem is that we have a tightly constrained sudoers setup within LDAP. Our Windows admins are unable to mirror this setup without considerable work and possibly not even completely if the time is devoted. An idea that was posed was this:



Authenticate to Active Directory but maintain sudoers management within our existing LDAP infrastructure.



The question then is it possible to either authenticate using an alternate method/server for AD so I can have LDAP for sudoers and something alternative for passwd in /etc/nsswitch.conf?



Due to scale, maintaining local /etc/sudoers files for each guest would be administratively prohibitive and a step back in terms of architecture and scalability.






authentication ldap sles







share|improve this question




















  • 1





    I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.

    – Patrick
    Aug 19 '14 at 4:41














0












0








0








Owing to a corporate strategy I am moving human user authentication from an implementation of LDAP locally to a centralized Active Directory domain. The problem is that we have a tightly constrained sudoers setup within LDAP. Our Windows admins are unable to mirror this setup without considerable work and possibly not even completely if the time is devoted. An idea that was posed was this:



Authenticate to Active Directory but maintain sudoers management within our existing LDAP infrastructure.



The question then is it possible to either authenticate using an alternate method/server for AD so I can have LDAP for sudoers and something alternative for passwd in /etc/nsswitch.conf?



Due to scale, maintaining local /etc/sudoers files for each guest would be administratively prohibitive and a step back in terms of architecture and scalability.






authentication ldap sles







share|improve this question
















Owing to a corporate strategy I am moving human user authentication from an implementation of LDAP locally to a centralized Active Directory domain. The problem is that we have a tightly constrained sudoers setup within LDAP. Our Windows admins are unable to mirror this setup without considerable work and possibly not even completely if the time is devoted. An idea that was posed was this:



Authenticate to Active Directory but maintain sudoers management within our existing LDAP infrastructure.



The question then is it possible to either authenticate using an alternate method/server for AD so I can have LDAP for sudoers and something alternative for passwd in /etc/nsswitch.conf?



Due to scale, maintaining local /etc/sudoers files for each guest would be administratively prohibitive and a step back in terms of architecture and scalability.






authentication ldap sles




authentication ldap sles






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 18 '14 at 22:56









Braiam

23.2k1976139




23.2k1976139










asked Aug 18 '14 at 22:47









G3zVMG3zVM

12




12








  • 1





    I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.

    – Patrick
    Aug 19 '14 at 4:41














  • 1





    I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.

    – Patrick
    Aug 19 '14 at 4:41








1




1





I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.

– Patrick
Aug 19 '14 at 4:41





I would advise sssd. You can configure it to use multiple LDAP directories, so if a user isn't found in one, it'll try another. This will let you migrate as slow as you want. It works for authentication (pam) and sudo.

– Patrick
Aug 19 '14 at 4:41










1 Answer
1






active

oldest

votes


















0














I can recommend a solution by using Univention Corporate Server (UCS). It is a Debian-based Linux enterprise distribution that integrates an Actice Directory compatible domain using Samba 4. So this could become the centralized Active Directory you are speaking of.



As to the LDAP issue, UCS also includes OpenLDAP. This means, you can integrate your existing Linux/Unix systems using the OpenLDAP of UCS and your windows clients/servers using the Samba 4 Active Directory.



Concerning the sudoers, there's a cool solution for sudo available that makes sudo configurable via the web-based Univention Management Console:
http://wiki.univention.de/index.php?title=Cool_Solution_-_Setup_sudo_with_ldap_on_multiserver_environments



Or as another alternative, if you want to keep your existing Microsoft AD as the main directory, you can achieve automatic synchronization of users, groups and optionally password-hashes between this and the OpenLDAP directory of UCS via the in UCS integrated tool Active Directory Connection. This tool is available via the Univention App Center, which is also part of UCS by default.



Further information on UCS can be found within the a.m. wiki and at:
https://www.univention.com/products/ucs/






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f150872%2fauthenticating-to-multiple-ldap-servers%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    I can recommend a solution by using Univention Corporate Server (UCS). It is a Debian-based Linux enterprise distribution that integrates an Actice Directory compatible domain using Samba 4. So this could become the centralized Active Directory you are speaking of.



    As to the LDAP issue, UCS also includes OpenLDAP. This means, you can integrate your existing Linux/Unix systems using the OpenLDAP of UCS and your windows clients/servers using the Samba 4 Active Directory.



    Concerning the sudoers, there's a cool solution for sudo available that makes sudo configurable via the web-based Univention Management Console:
    http://wiki.univention.de/index.php?title=Cool_Solution_-_Setup_sudo_with_ldap_on_multiserver_environments



    Or as another alternative, if you want to keep your existing Microsoft AD as the main directory, you can achieve automatic synchronization of users, groups and optionally password-hashes between this and the OpenLDAP directory of UCS via the in UCS integrated tool Active Directory Connection. This tool is available via the Univention App Center, which is also part of UCS by default.



    Further information on UCS can be found within the a.m. wiki and at:
    https://www.univention.com/products/ucs/






    share|improve this answer




























      0














      I can recommend a solution by using Univention Corporate Server (UCS). It is a Debian-based Linux enterprise distribution that integrates an Actice Directory compatible domain using Samba 4. So this could become the centralized Active Directory you are speaking of.



      As to the LDAP issue, UCS also includes OpenLDAP. This means, you can integrate your existing Linux/Unix systems using the OpenLDAP of UCS and your windows clients/servers using the Samba 4 Active Directory.



      Concerning the sudoers, there's a cool solution for sudo available that makes sudo configurable via the web-based Univention Management Console:
      http://wiki.univention.de/index.php?title=Cool_Solution_-_Setup_sudo_with_ldap_on_multiserver_environments



      Or as another alternative, if you want to keep your existing Microsoft AD as the main directory, you can achieve automatic synchronization of users, groups and optionally password-hashes between this and the OpenLDAP directory of UCS via the in UCS integrated tool Active Directory Connection. This tool is available via the Univention App Center, which is also part of UCS by default.



      Further information on UCS can be found within the a.m. wiki and at:
      https://www.univention.com/products/ucs/






      share|improve this answer


























        0












        0








        0







        I can recommend a solution by using Univention Corporate Server (UCS). It is a Debian-based Linux enterprise distribution that integrates an Actice Directory compatible domain using Samba 4. So this could become the centralized Active Directory you are speaking of.



        As to the LDAP issue, UCS also includes OpenLDAP. This means, you can integrate your existing Linux/Unix systems using the OpenLDAP of UCS and your windows clients/servers using the Samba 4 Active Directory.



        Concerning the sudoers, there's a cool solution for sudo available that makes sudo configurable via the web-based Univention Management Console:
        http://wiki.univention.de/index.php?title=Cool_Solution_-_Setup_sudo_with_ldap_on_multiserver_environments



        Or as another alternative, if you want to keep your existing Microsoft AD as the main directory, you can achieve automatic synchronization of users, groups and optionally password-hashes between this and the OpenLDAP directory of UCS via the in UCS integrated tool Active Directory Connection. This tool is available via the Univention App Center, which is also part of UCS by default.



        Further information on UCS can be found within the a.m. wiki and at:
        https://www.univention.com/products/ucs/






        share|improve this answer













        I can recommend a solution by using Univention Corporate Server (UCS). It is a Debian-based Linux enterprise distribution that integrates an Actice Directory compatible domain using Samba 4. So this could become the centralized Active Directory you are speaking of.



        As to the LDAP issue, UCS also includes OpenLDAP. This means, you can integrate your existing Linux/Unix systems using the OpenLDAP of UCS and your windows clients/servers using the Samba 4 Active Directory.



        Concerning the sudoers, there's a cool solution for sudo available that makes sudo configurable via the web-based Univention Management Console:
        http://wiki.univention.de/index.php?title=Cool_Solution_-_Setup_sudo_with_ldap_on_multiserver_environments



        Or as another alternative, if you want to keep your existing Microsoft AD as the main directory, you can achieve automatic synchronization of users, groups and optionally password-hashes between this and the OpenLDAP directory of UCS via the in UCS integrated tool Active Directory Connection. This tool is available via the Univention App Center, which is also part of UCS by default.



        Further information on UCS can be found within the a.m. wiki and at:
        https://www.univention.com/products/ucs/







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 26 '14 at 12:49









        Maren AbatielosMaren Abatielos

        1




        1






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f150872%2fauthenticating-to-multiple-ldap-servers%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Morgemoulin

            Image
            Morgemoulin — miejscowość i gmina — Państwo   Francja Region Grand Est Departament Moza Okręg Verdun Kod INSEE 55357 Powierzchnia 6,82 km² Populacja  (1990) • liczba ludności 75 • gęstość 11 os./km² Kod pocztowy 55400 Położenie na mapie Francji Morgemoulin 49°14′N   5°35′E / 49,233333   5,583333 Portal Francja Morgemoulin – miejscowość i gmina we Francji, w regionie Grand Est, w departamencie Moza. Według danych na rok 1990 gminę zamieszkiwało 75 osób, a gęstość zaludnienia wynosiła 11 osób/km² (wśród 2335 gmin Lotaryngii Morgemoulin plasuje się na 970. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 848.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Verdun Abaucourt-Hautecourt • Aincreville • Ambly-sur-Meuse • Amel-sur-l'Étang • Ancemont • Arrancy-sur-Crusne • Aubréville • Autré
            Read more

            Scott Moir

            Image
            Scott Moir Tessa Virtue i Scott Moir w 2016 r. Reprezentacja   Kanada Data i miejsce urodzenia 2 września 1987 London Wzrost 180 cm Konkurencja Pary taneczne Partner sportowy Tessa Virtue Trener Marie-France Dubreuil, Patrice Lauzon, Romain Haguenauer Poprzednio: Marina Zujewa, Oleg Epstein, Igor Szpilband, Johnny Johns, Carol Moir, Paul MacIntosh, Suzanne Killing Klub Montreal International School of Skating Poprzednio: Arctic Edge FSC Ilderton Skating Club Lokalizacja treningowa Montreal Poprzednio: Canton Kitchener Rekordy życiowe ISU przed sezonem 2018/2019 Nota łączna 206,07 Igrzyska Olimpijskie 2018 Taniec krótki 83,67 Igrzyska Olimpijskie 2018 Taniec dowolny 122,40 Igrzyska Olimpijskie 2018 Dorobek medalowy Reprezentacja   Kanada Igrzyska olimpijskie Złoto Vancouver 2010 pary taneczne Złoto Pjongczang 2018 pary taneczne Złoto Pjongczang 2018 drużynowo Srebro S
            Read more

            Souastre

            Image
            Souastre — miejscowość i gmina — Herb Państwo   Francja Region Hauts-de-France Departament Pas-de-Calais Okręg Arras Kod INSEE 62800 Powierzchnia 7,18 km² Populacja  (1990) • liczba ludności 352 • gęstość 49 os./km² Kod pocztowy 62111 Położenie na mapie Francji Souastre 50°09′N   2°34′E / 50,150000   2,566667 Portal Francja Souastre – miejscowość i gmina we Francji, w regionie Hauts-de-France, w departamencie Pas-de-Calais. Według danych na rok 1990 gminę zamieszkiwały 352 osoby, a gęstość zaludnienia wynosiła 49 osób/km² (wśród 1549 gmin regionu Nord-Pas-de-Calais Souastre plasuje się na 887. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 507.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Arras Ablain-Saint-Nazaire Ablainzevelle Acheville Achicourt Achiet-le-Grand Achiet-le-Pe
            Read more