Question for anyone that has been involved in doing integration/SSO work between Linux (RedHat mainly) and Active Directory.
We have worked out how to get ldap working through PAM to check the logon name and password against AD and process the logon accordingly from there. However we cant work out how to get Linux/PAM to go one step further and check for the existance of membership of a particular group and only grant access to the linux shell based upon that membership.
This is identical to how we do it in Windows, we create a domain global security group and populate it with user accounts. We then assign permissions (NTFS, Local Admin, etc) to that group. When a user then accesses that resource, the group membership grants the relevant access level from there.
We are just trying to replaciate this in a Linux environment. Its a mixed Windows/Linux environment, and we are already using Security Groups to assign access to Windows resources, and want to use the same methodolgy for Linux access.