[Beowulf] Re: Linux cluster authenticating against multiple Active Directory domains

[Dave Love]

Chris Samuel <csamuel at vpac.org> writes:

> They have assured us that we can just their ADSs as
> if they are LDAP servers, which is OK, but it looks
> like Linux doesn't really want to know about using
> multiple LDAP servers except in a failover/round-robin
> situation.

Having completely separate ADs for staff and students seems odd...  Why
doesn't it work to have two `sufficient' cases of pam_ldap with
different `config' args pointing to different servers?

However, LDAP isn't an authentication protocol.  Use Kerberos for
authentication.  If two cases of pam_krb5 with different `realm' args
doesn't work (as it should with Russ Allbery's version in Debian), you
should be able to drop in a ~/.k5login for each user to authenticate
with a principal in the appropriate realm (Windows domain, or whatever
the correct AD terminology is).  See the doc for whichever pam_krb5 you
have, or use http://www.eyrie.org/~eagle/software/pam-krb5/.

> Our current best guess is to get an LDIF dump of
> the users who are to be given access (signified
> by an LDAP attribute) and then load those into a
> local OpenLDAP or FDS server.

[Can't OpenLDAP just refer to the AD LDAPs?]  You could also set up your
own Kerberos to do cross-real authentication to AD, but I doubt you need
to.