Real/Easy Active Directory Integration For Large/Complex Domains

Latest response

Right now, with RHEL 5/6, if one wants to do AD-based user management, one has several options:

  • NIS-gateway mode
  • Kerberos-only
  • LDAP-only
  • winbind
  • Third party (Centrify, LikeWise, etc.)

NIS gateway mode sucks: have to modify your AD servers to do it and it's cleartext any way. Pretty much, no one should use this.

 

Both the straight-kerberos and straight-LDAP don't give you the level of AD integration that either Winbind or third-party methods do.

 

Winbind is sufficient for small, simple AD environments, but not so good for an environment such as I work in where there's nearly 100,000 user accounts in AD and many more other types of objects, plus cross-realm trusts and other complexities.

 

Third party tools are good for these kinds of large and complex environments ...right up to the point where you want to turn on SELinux. Then, they pretty much completely break - leaving you with the choice of having either full AD integration or SELinux enabled.

 

My assumption is, were RedHat to release an AD-integration tool for RHEL 7 that was as scalable as Centrify or LikeWise, that they'd do so in a way that was SELinux compatible.

Responses

I agree with this 100% let's make it easy to enable central LDAP auth for login's back to AD as well as possibly utilize other AD LDAP attributes?

RHEL 5.6 has a technology preview for SSSD, which is included in 6.1 if I'm not mistaking.

 

SSSD can give you AD integration, though I'm not sure if things such as Kerberos trust, automatic DNS updating and such are already in a working state.

SSSD is being integrated with winbind as we speak. It will support trust environments and it already supports automatic DNS updating.

 

Another component that you might want to consider is Red Hat Enterprise Identity (IPA). IPA provids native domain environment for the RHEL systems.  IPA is being enhanced to support Cross Kerberos trusts. So with SSSD (on the client) joined to an IPA domain, users being in AD and trust support between IPA and AD you will get the set of requested tools.

 

And SSSD is fully on board with SELinux.

New features are great, but using different solutions of different versions of an OS make for a support nightmare - admins will have to know different configuration options needed for 5/6/7 and possibly other OSs as well.

 

For those moving to RHEL 7 only, in a AD space, SSSD sounds great, but how many of us will be a RHEL 6/7 only shop?

RHEL5 / RHEL6 also support SSSD.

For RHEL < 5.6, SSSD is in EPEL. For RHEL > 5.6, packages should be on RHN.

RHEL 6 also has SSSD.

With the proper schema changes integration is possible today with ldap and kerberos on RHEL 4, 5, and 6 (we've also tested on Solaris 8, 9 and 10) 

 

Requirements:

  1. Windows 2003 R2 or 2008 Schema
  2. Identity Management for Unix installed on at least one DC
  3. Extend Schema to support automount (RFC2307bis) maps
  4. Publish to global catalog

Key challenges:

  1. Support for automount requires custom schema change.  Schema changes are not easily adopted by large enterprises. 
  2. User mapping - in our testing, simple things like the fact that Linux is case sensitive causes sudoers to break.  A pam module to deal with this would make this easy.
  3. Migrating existing netgroups to AD groups

If you don't use automount or netgroups today this is a fairly simple integration.  We chose to avoid Samba for this because we didn't want to deal with managing and installing it across the environment (and we didn't reall need it). 

 

What we need is easy migration tools and scripts to help with exporting data from LDAP or NIS into AD.  We need pam modules that make dealing with things like case very simple.  It would also be nice if Windows provided schema support for things like automount maps and netgroups out of the box so that you don't need a custom schema change or another directory to manage those maps (although NIS with IDMU can support this).

 

This shouldn't be RHEL 7 specific either.  Anything done needs to be easily extendable and usable for any currently supported OS's.