Looking for suggestion on authentication method for UNIX/Windows

solaris_1977 · April 20, 2017, 9:19pm

Hello,

We have mid level infrastructure of all on-premises servers. All windows servers are getting authenticated by Microsoft Active Directory Services, half Unix (Solaris+Linux) servers are getting authentication by NIS and other half by LDAP.

We have plans to migrate from NIS to LDAP, so going forward it will all LDAP and Microsoft AD.
Recently we started looking into hosting our few servers on AWS and that made us looking into different prospective.

We are not going to build new/another AD on AWS, but we will use our on-primises directory services for authentication.
Will it be a good approch to integrate LDAP with AD, so that single sign-on can be achieved ?
Or most people will prefer to keep UNIX authentication by LDAP and Windows authentication by Microsoft AD ?
Should I consider any pros or cons with either of these solutions ?
As of now, we are planning to put dashboard application on AWS with two tomcat (web servers) servers, two DB servers. But going forward, this environment will grow with further migrations.

I understand that it is not break-fix question and it is more of consulting question. People who have knowlegde of similar kind of setup, can give me some idea.

I want suggestions from you guys, what can be best possible ways to achieve our goal. I can research in details, but I am looking for high level plan.

If this is not related to correct forum, please move it to appropriate place.

Regards

Scrutinizer · April 21, 2017, 2:50am

AD is essentially LDAP + Kerberos, so in itself there is nothing wrong with using AD, but it uses a proprietary schema. In order for it to be truly useful for unix/linux hosts, if you need anything more than just authentication, it would be best to import the rfc2307/rfc2307bis schema into AD. So AD can be used as LDAP for Unix/Linux hosts.

An alternative is to have two directories (AD and a separate LDAP) with some kind of sync mechanism...

Then there is the client side. With Single Signon, do you mean that you need to authenticate once and then use a ticket further on. Then you need to use (AD) Kerberos / gssapi. Some linux clients in addition can also do SSO without gssapi through sssd (also against AD), but Solaris cannot. If you mean with SSO that the password is the same for all platforms, then an alternative would be to use TLS/LDAP on Unix/Linux clients.

It all really depends on your situation..

solaris_1977 · April 23, 2017, 3:43pm

Thanks. It gives me some starting point to research on our feasible options. Thanks