[colug-432] bash history broken
bnmille at gmail.com
Fri Dec 30 19:30:37 EST 2011
On 12/29/2011 08:51 PM, Rick Hornsby wrote:
> Yeah :/ Another inane corporate thing I'm trying to change since
> arriving here in April - and one of my very first moments where I
> really cringed after joining the company - every single one of the
> thousands of linux servers has its own local credential store - so
> suffice it to say in most cases there aren't local accounts. Because
> things are getting out of control, I think I've got them convinced to
> let me try to start moving some of the servers to authenticate off
> the AD. Hopefully I can figure a way to do group membership from the
> AD as well so that we can centrally manage who is a member of the
> tcadmins group - which on some servers gives them access to run sudo
> commands related to tomcat.
Using the native Linux LDAP client against AD isn't really that hard, as
long as you can get the RFC2307 (posixAccount) extensions added to the
AD schema. You will definitely need that if you want to use AD groups
to control access. If the AD admins are unwilling to extend the schema
that way, you might want to look at what I did: use OpenLDAP to hold
the posixAccount attributes, but use pass-through authentication to the
actual password store, which in your case would be AD.
Interestingly, I just gave a presentation about that several months ago.
If you have any questions, let me know.
More information about the colug-432