[olug] RE: Topic for next meeting

Jay Hannah jay at jays.net
Thu Aug 28 21:13:55 UTC 2003


Our corporate group is re-rallying around an AD solution for 2004.
Apparently the company-wide transition from NT networks to AD hasn't ROI'd
until Microsoft's the version of 2003 that's coming out in a couple weeks.

I was hoping to avoid all the AD rigamorole for a clean, easy, flexible,
easy per-site transition Samba / LDAP / ? solution...

I've been told (in conversations I didn't really understand) that the
transition to AD is painful and to get the benefits we'd have to do a lot
of throw-away work since we can't do all sites at once... Apparently once
you're in "mixed mode" you have to nuke the whole AD forest to switch a
site to AD? Ick.

We need something easy...

Under VAS does each site still have it's own domain controller? If our
network dies, we still need each site to be able to do their local
thing... What is the domain controller at each site? How does it talk to
the central location?


On Thu, 28 Aug 2003, Bob McCoy wrote:
> If there's enough interest, I'd be willing to give my presentation from
> the CERT Conference.  It's about using Kerberos and LDAP for
> cross-platform authentication.
> Here are some of the things you may want to weigh:
> - This is not a "roll your own" or free solution.  It's based on Vintela
> Authentication Service (VAS) <http://www.center7.com/us/products/vas/>.
> Check out the reviewer's guide for a quick overview.
> - It uses Active Directory as its credential store.
> - It currently supports Linux and Solaris.
> - It only takes about 15 minutes to get the whole thing up and running
> -- AD schema extended, agent installed on the UNIX box, UNIX box joined
> to the domain, AD user attributes updated as necessary, AD user logged
> into UNIX box (all that with the AD user never having logged into the
> UNIX box before, created its home directory on the fly, and no reboots).
> - It makes very efficient use of PAM and NSSwitch.
> However, if it must be an Open Source solution, or you find the use of
> AD as your credential store untenable, then this is not the solution for
> you.
> By the way, one of the principals involved in VAS is John Terpstra.  He
> is a member of the Open Group and has been a major contributor to Samba
> over the years.
> Let me know.  Bob.

More information about the OLUG mailing list