[Beowulf] Active directory with Linux

[Tim Cutts]

On 24 Oct 2008, at 12:38 am, Chris Samuel wrote:

>
> ----- "Tim Cutts" <tjrc at sanger.ac.uk> wrote:
>
>> If you just want to authenticate against AD, you don't need anything
>> commercial at all.  You can just configure PAM on your Linux boxes to
>> authenticate against AD, and configure your nsswitch.conf to obtain
>> its information from AD's LDAP service.
>
> We were trying to do that for one of our members, but
> were told by the AD admins that we could only use the
> users credentials to bind to the AD server for queries
> as they were using lockouts on failed password attempts
> and so would not provide a "system" style account for
> queries as locking that out would stop all users from
> accessing the cluster.  It was implied that they couldn't
> disable lockouts for this particular user.
>
> One of our folks tried to get this config to work and
> failed, so we're now going to a fallback strategy of
> having our own pukka LDAP server and a web frontend that
> will authenticate a user correctly against their AD and
> then let them create a POSIX LDAP account in ours.
>
> Suboptimal of course, but we've wasted enough time
> already banging our heads on this. :-(

That's very similar to what we're doing.  We're using Sun Directory  
Server, because there's an additional piece of software for that  
(whose name escapes me) which can nicely handle data synchronisation  
between SDS and AD.

Tim


-- 
 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.