Is it possible to set up Linux (and Solaris) SSH server to authenticate users in this way:
i.e. user john is a member of the group Project1_Developers in the Active Directory.
we have something on the server A (running Linux, the server has an access to the AD via i.e. LDAP) in the SSH server LDAP (or other module) authentication config like root=Project1_Developers,Company_NIX_Admins.
when john connects to the server A using his username "john" and domain password, the server checks the john's group in the domain and if the group is "Project1_Developers" or "Company_NIX_Admins", makes him locally as a root with a root privileges.
The idea is also to have only a "root" and a system users on the server, without adding user "john" to all servers where John can log in.
Any help or the idea how to make the above or something similar to the above? Preferred using AD but any other similar solution is also possible.
p.s. please don't open a discussions is it secure to login via ssh as root or not, thanks :)
Essentially, you're referring to Linux PAM authentication via PAM-LDAP bindings with an Active Directory server. In this case, you'd configure the linux box to authentication with AD via PAM ( the centralized "authentication controller" libs ).
In this way, John would log into the box with his own uid and password as found in AD.
Additionally, you can look at netgroups or Kerberos so as to determine whether John is allowed to connect to that specific box.
Lastly, since you mentioned SSH specifically, you may also be interested in looking at the LPK patches for LDAP which allow you to store John's authentication certificates for SSH within LDAP.
You don't need to (manually) add john to all the servers. Configure NSS, PAM, and sudo to use LDAP.