I need some outside perspectives on this. I'm working on a project to
use Active Directory (AD) to authenticate Linux logins. I'm not
looking for how to do this; there's plenty of "how to's" out there that
I can use. What I'm looking for is a "best practice" kind of
recommendation.

There seem to be two prevailing methods for accomplishing this: Using
winbind, or using LDAP. Winbind apparently does not require a schema
extension in AD, but also doesn't seem to offer the same kind of
fine-grained control (you don't get the ability to specify UIDs and
GIDs when using winbind; these are mapped dynamically). LDAP, on the
other hand, requires a schema extension in AD but allow us to store
Unix-specific attributes there, so that an account bears the same UID
across all systems authenticating to AD.

Using LDAP seems to make the most sense to me, but it is more work. Is
the additional work really worth it? What is everyone else's
perspective in this regard?

TIA.

--
Scott Lowe