On 24 Oct 2008, at 12:38 am, Chris Samuel wrote:
----- "Tim Cutts" <[EMAIL PROTECTED]> wrote:
If you just want to authenticate against AD, you don't need anything
commercial at all. You can just configure PAM on your Linux boxes to
authenticate against AD, and configure your nsswitch.conf to obtain
its information from AD's LDAP service.
We were trying to do that for one of our members, but
were told by the AD admins that we could only use the
users credentials to bind to the AD server for queries
as they were using lockouts on failed password attempts
and so would not provide a "system" style account for
queries as locking that out would stop all users from
accessing the cluster. It was implied that they couldn't
disable lockouts for this particular user.
One of our folks tried to get this config to work and
failed, so we're now going to a fallback strategy of
having our own pukka LDAP server and a web frontend that
will authenticate a user correctly against their AD and
then let them create a POSIX LDAP account in ours.
Suboptimal of course, but we've wasted enough time
already banging our heads on this. :-(
That's very similar to what we're doing. We're using Sun Directory
Server, because there's an additional piece of software for that
(whose name escapes me) which can nicely handle data synchronisation
between SDS and AD.
Tim
--
The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
_______________________________________________
Beowulf mailing list, Beowulf@beowulf.org
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
