Authenticating users to ADS

jacco · October 27, 2008, 6:01am

It is possible to authenticate AIX-users to the Windows 2003 Active Directory.
But is it also possible to do full useradministration in the ADS without also adding users to the local AIX-server?

I have the following working:

Add user to the ADS
Add user to AIX with 'mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles <username>'
Now the password for <username> is being checked against the ADS

But I want the full useradministration in the ADS (username, password, primary group, other groups, which shell to start) without adding the user to the local AIX server. Is that possible?

otheus · October 27, 2008, 12:25pm

Win 2003 AD is pretty much an LDAP server that you can use Pam_ldap or openldap tools with. As far as AD/LDAP maintenance tools, there are some open ones in Java, and PHP based ones also.

prichard · October 29, 2008, 12:57pm

Centrify Directcontrol might meet your needs. See Centrify DirectControl Suite Overview for details.

I tried to go that direction and got stopped at Informix. I learned that I had to rewrite all of my Informix applications to support pam.