Common wisdom about Active Directory authentication for Linux Servers?

linux active-directory redhat ldap

Solution 1:

In March 2014, Red Hat published a reference architecture for integrating Red Hat Enterprise Server with Active Directory. (This material should certainly be current and relevant.) I hate to post this as an answer, but it's really just too much material to transfer into the answer field.

This document (corrected) is hot off the press seems to focus on the new features of Red Hat Enterprise Linux (RHEL) 7. It was published for the Summit last week.

Should this link go stale, please let me know and I'll update the answer accordingly.

I have personally used WinBind fairly reliably for authentication. There's very infrequent service failure that requires someone with root or other local account to go in and bounce winbindd. This could probably be dealt with via proper monitoring if you care to put the effort into it.

It is worth noting that Centrify does have additional functionality, though this can be provided by separate configuration management. (Puppet, etc.)

Edit 6/16/14:

Red Hat Enterprise Linux 7 Windows Integration Guide

Solution 2:

re: "The commercial solutions like Centrify and Likewise always worked, but seemed unnecessary, since this capability is baked into the OS."

Well I think most of us have been hearing for years that XYZ operating system finally cracks the AD integration puzzle. IMHO the problem is that for the OS vendor, AD integration is a checkbox feature, i.e. they need to deliver something that sorta kinda works to get that checkbox, and that checkbox typically only works on...

  1. their OS platform and
  2. the current version of that platform and
  3. against a more recent version of Active Directory.

The reality is that most environments are not monolithic in terms of OS vendor and OS version, and will have older versions of AD. That's why a vendor such as Centrify has to support 450+ flavors of UNIX/Linux/Mac/etc. against Windows 2000 to Windows 2012 R2, not just RHEL 7 again Windows 2012 R2.

In addition, you need to factor in how your AD is deployed, so does the OS vendor's AD integration support Read Only Domain Controllers (RODCs), one-way trusts, provide multi-forest support, etc. And what if you have pre-existing UID space (which you will), are there migration tools to migrate the UIDs into AD. And does the OS vendor's AD support address the ability to map multiple UIDs to a single AD in situations in which your UID space is not flat. And what about ... well you get the idea.

Then there's the question of support ...

Point is AD integration may seem easy conceptually and may be "free" with a vendor's latest OS, and can probably work if you have just one version of an OS from one vendor and have a vanilla AD that is the latest version, and you have a premium support contract with the OS vendor who will try their best to fix any problems that will come up. Otherwise you may want to consider a specialized third party solution.

Related

What is Group Policy and how does it work?
Recover RAID 5 data after created new array instead of re-using
How to wait in bash for several subprocesses to finish, and return exit code !=0 when any subprocess ends with code !=0?
document.getElementById vs jQuery $()
Append integer to beginning of list in Python [duplicate]
Setting Authorization Header of HttpClient
How do I write stderr to a file while using "tee" with a pipe?
How do I align views at the bottom of the screen?
How do I address unchecked cast warnings?
Why does AngularJS include an empty option in select?
Count the number of occurrences of a character in a string in Javascript
How do I get indices of N maximum values in a NumPy array?