enterprise-ubuntu team mailing list archive

[Chris Rowson <christopherrowson@xxxxxxxxx>]

I have always found it hard to understand why Canonical just don't include
LDAP/AD authentication as an option out of the box like RedHat do.

I should be able to install an Ubuntu desktop and during setup, it should
ask me whether or not I want to authenticate against a central
authentication source like Active Directory.

Centralised authentication really shouldn't require add-on software.

Cheers,

Chris


On Wed, Dec 5, 2012 at 11:28 AM, Risberg, Ove <ove.risberg@xxxxxxxxx> wrote:

> Hi Florian,
>
> Yes this is a bit confusing.
>
> You have a number of commercial alternatives for AD integration:
>   VAS/QAS/DAS?  - http://www.quest.com/authentication-services/
>   PBIS/Likewise Enterprise - http://www.beyondtrust.com/
>
> These companies should be able to give you commercial support but I have
> not used them myself.
>
> There are also a number of free alternatives:
>   Samba/winbind - http://www.samba.org/
>   PBIS/Likewise Open - http://www.powerbrokeropen.org/
>   sssd - https://fedorahosted.org/sssd/
>
> I have used winbind a few years ago and it worked fine most of the time
> but was a bit slow and the cached credentials was sometimes invalid... this
> might have changed by now.
>
> We tested Likewise Open but they autogenerated/calculated the Unix UID
> from some information in the AD so you can not set this yourself. This made
> it impossible for us to use it.
>
> Today we use sssd on our Ubuntu clients and it works almost perfectly.
> The only problem we have it that the package is not in the main Ubuntu
> repository so it is not officially supported by Canonical (?).
>
> Most of these tools give you a Kerberos ticket so you should be able to
> use this to login to your internal web pages... if the servers and your
> browser is configured correctly.
>
> We have a database where we allocate unique Unix UIDs for all users.
> If you do not have filesystems where users have alredy stored files with a
> specific UID it may be easier to configure your AD integration software to
> calculate the UID from the AD information (just like Likewise open does).
> The UID will still be unique but the UID number will probably be quite
> large (above 65535) and this can cause problems on older Unix machines.
>
> The license terms for the commercial alternatives have changed during the
> last 2 years and also the owner of the Likewise product have changed.
> What if they stop releasing new versions or updates?
> It is not the first time a commercial company lost interrest in their
> Linux version and they only focus on the the products where they make most
> money.
>
> I hope this answered some of your questions.
>
> Best regards
> Ove
>
>
>
> On Tue, Dec 4, 2012 at 4:05 PM, Florian Bieber <florian.bieber@xxxxxxxx>wrote:
>
>>
>> Hello,
>>
>> I am a little bit puzzled. The are solutions for ad integration of linux
>> clients available, but it is hard for me to find out, what to use when.
>>
>> For what reason / use-cases the use of win-bind and the kerberos libs
>> (e.g.
>> described for openSUSE here
>>
>> http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.security.ad.html
>>   )are enough and when/why e.g. PowerBrokerOpen/Likewise-open (
>> http://www.powerbrokeropen.org/ ) should better be used?
>>
>> Likewise-open has a package in ubuntu and powerbroker has or will have
>> one,
>> so one advantage I see is that you receive updates for the packages, if
>> maintained.
>>
>> But with which solution problems like
>>         offline ad login
>>         single sign on to browser/share ressources
>>         a pass-through-authentication
>>         mapping of SID (so that you have on UID/GID on all Systems
>> (local, on
>> a Share, on a Windows-System etc.)
>>         get access rights to files (e.g can I create a file on a NFS
>> share so
>> that another user sees my username instead of SID in the access field?)
>>         how is the unix user ID generated
>> is solved on the most sustainable way? What should you use when?
>>
>> What are the pros and cons for likewise/powerbroker or other solutions?
>> What else is it good for?
>>
>> Sorry for so many question, but what are your experiences? what would you
>> suggest for which case?
>>
>> Thanks for help in advance!
>>
>> regards,
>> Florian
>>
>>
>> --
>> Mailing list: https://launchpad.net/~enterprise-ubuntu
>> Post to     : enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~enterprise-ubuntu
>> More help   : https://help.launchpad.net/ListHelp
>>
>
>
> --
> Mailing list: https://launchpad.net/~enterprise-ubuntu
> Post to     : enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~enterprise-ubuntu
> More help   : https://help.launchpad.net/ListHelp
>
>