Home

OpenLDAP with Linux and Windows

Aug 05, 2002  By Francesco Tornieri
 in
Using LDAP to manage user authentication in computer labs at the University of Verona.
______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: OpenLDAP with Linux and Windows

Anonymous's picture
Submitted by Anonymous on Tue, 03/04/2003 - 03:00.

What about synchronizing OpenLDAP and Windows2000

schema? The differents of their schemes prevent to copy

ActiveDirectory tree in LDBM database and vice versa.

Re: OpenLDAP with Linux and Windows

Anonymous's picture
Submitted by Anonymous on Wed, 08/28/2002 - 02:00.

Very nice. But, for use a windows2000 server with ldap server and my linux stations for conect them?

How to make it?

Thanks

Re: OpenLDAP with Linux and Windows

Anonymous's picture
Submitted by Anonymous on Sat, 10/12/2002 - 02:00.

VERY easy.

Active Directory uses DNS and LDAP v2 and v3. Just run ldap clients on the Linux machines. Bam, you got yourself Linux workstations authenticating to a Windows 2000 domain controller. How's that for surreal?

Easier installation

Anonymous's picture
Submitted by Anonymous on Tue, 08/06/2002 - 02:00.

The RH Server Development Project has a package that will do alot of the "hardwork" for you and set up a samba PDC with LDAP + the webmin frontend

http://rhems.sourceforge.net/

its allmost too easy

Or just use Mandrake ...

Anonymous's picture
Submitted by Anonymous on Mon, 08/12/2002 - 02:00.

Mandrake RPMs of 2.2.5 for Mandrake 8.x built with LDAP support are available on ftp.samba.org.

The RPMs in cooker have everything but the webmin frontend running (but by default are not compiled with ldap support, just do 'rpm --rebuild --with ldap' to get it).

RPMs for 8.x will be updated soon ...

Of course, for anything later than 8.1 that also means you get ACLs, nss_wins and winbind out the box ...

Still have some work to do tracking down the webmin module.

Re: Easier installation

Anonymous's picture
Submitted by Anonymous on Wed, 08/07/2002 - 02:00.

Anonymous, you deserve a kiss. ;-) Thank you so much.

/P

the need for TNG ?

Anonymous's picture
Submitted by Anonymous on Tue, 08/06/2002 - 02:00.

As others have said samba supports LDAP quite well.

however, from my similar setup, It looks like TNG is needed to handle domain groups.

groups of users on the domain seems to have very limited support in the main samba (so far).

for example allowing a group of users to access a share on a server in the domain.

I think this is only possible in TNG with ACL's

If im wrong please email me

dmiller at judcom.nsw.gov.au

No ACLs in TNG

Anonymous's picture
Submitted by Anonymous on Mon, 08/12/2002 - 02:00.

AFAIK, there aren't ACLs in TNG, and for what you want to accomplish (use domain groups on the server), you don't need domain groups, since LDAP does that for you.

The only place domain groups are useful, are on the windows boxen, and this can be accomplished (though I am not sure with LDAP) using some tools from samba-3alpha on a samba-2.2.x domain controller (it was smbgroupedit, it might have changed).

samba-2.2.x of course supports posix acls with xfs or ext2/3+betbits patch.

Re: OpenLDAP with Linux and Windows

Anonymous's picture
Submitted by Anonymous on Tue, 08/06/2002 - 02:00.

Is there anyone who has normal Samba 2.2.x working in simmilar scenario ?

Re: OpenLDAP with Linux and Windows

Anonymous's picture
Submitted by Anonymous on Tue, 08/06/2002 - 02:00.

Yes we have it working. At the Brigham Young University, both the CS Department and the Chemistry Department are using LDAP to drive Samba HEAD 2.2.2 Domain controllers to server windows domains. Works great. No probs at all, except for the caveat that machines joined to the domain have to exist in the local password file of the domain controller, and not in ldap because for some reason pam cannot find any unames like 'machine1$' in ldap. Other than that users are all there in LDAP. We use kerberos for authentication on our unix machines and LDAP integration with kerberos will soon be pretty tight. We're still working on some good password synchronization tools.

In the chem department, we actually have three different domains (3 samba 2.2.2 pdcs) serving from one LDAP database source. We use LDAP filters in the smb.conf file to limit domain access to particular gidNumbers. Very nice indeed.

You can contact me with questions at torriem at byu dot edu.

cheers,

Michael Torrie

Re: OpenLDAP with Linux and Windows

Anonymous's picture
Submitted by Anonymous on Tue, 08/06/2002 - 02:00.

idealx.org has got a project like this going on...

http://samba.idealx.org

btw. what i would really like if being able to combine one of these approaches with "that dreaded exchange server"

Re: OpenLDAP with Linux and Windows

Anonymous's picture
Submitted by Anonymous on Wed, 08/14/2002 - 02:00.

That would be interesting ....

How could we do that ..............

samba 2.2.x works fine

Anonymous's picture
Submitted by Anonymous on Tue, 08/06/2002 - 02:00.

Samba 2.2.x has supported LDAP for quite some time, plus, you get a lot of features that are not available in samba-tng, such as ACLs, downloadable print drivers etc.

Plus, I don't think the schema for samba-tng is compatilbe with samba HEAD cvs (which will become 3.0).

Also, you might want to have samba use SSL or TLS for it's LDAP connections, otherwise you are sending windows password hashes across the network in clear text. These are easily cracked, and are password-equivalents. Of course, this mostly applies to the rest of the setup also if you don't use sasl.

But, my question now is, how would you handle linux laptops in this scenario. Windows laptops would work fine, having cached credentials from the DC, and probably having cached profiles also.

Re: OpenLDAP with Linux and Windows

Anonymous's picture
Submitted by Anonymous on Mon, 08/05/2002 - 02:00.

It's nice to see more people using the LDAP backend in Samba, however that only TNG and the 3.0 alpha branch support it is wholly incorrect. The "stable" branch of 2.2.x has supported it for quite a while (I don't remember when it first started appearing in the official tree, but I had patches working for it before 2.2.2). As it stands, the current stable version of Samba supports LDAP very well. There are some difference between what is described here and the 3.0 and 2.x versions, the most obvious (at least on my cursory glance) being how the ldap password is specified.

Suffice it to say, for those that don't want to use unstable, development, software but want the benefits of unified logins and passwords, can (and I recommend they) use the latest and greatest Samba 2.x for windows account management.

--Shahms

OpenLDAP and LDAP integration documentation

Anonymous's picture
Submitted by Anonymous on Mon, 08/05/2002 - 02:00.

I've made an extensive LDAP presentation and posted it at -

ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf

Greate Work, thx

Mk's picture
Submitted by Mk (not verified) on Sat, 10/01/2005 - 18:49.

Thanks alot, great work. Let me see how fast I get into ;-)

Re: OpenLDAP and LDAP integration documentation

Anonymous's picture
Submitted by Anonymous on Wed, 01/22/2003 - 03:00.

This URL is prompting for a user id and password. Is there an open access to this?

Re: OpenLDAP and LDAP integration documentation

Anonymous's picture
Submitted by Anonymous on Wed, 08/07/2002 - 02:00.

I suggest to everyone, who think deal with ldap, read this great document. Thank you.

Re: OpenLDAP and LDAP integration documentation

Anonymous's picture
Submitted by Anonymous on Tue, 08/06/2002 - 02:00.

Really impressive, good work.

Re: OpenLDAP and LDAP integration documentation

Anonymous's picture
Submitted by Anonymous on Tue, 08/06/2002 - 02:00.

Perfect !!!, great presentation !!!!, Thanks.

Re: OpenLDAP and LDAP integration documentation

Anonymous's picture
Submitted by Anonymous on Tue, 08/06/2002 - 02:00.

Thank you, great work!

Doubt regarding connections

Anonymous's picture
Submitted by Anonymous (not verified) on Mon, 11/20/2006 - 02:08.

Hi,

How can i increase the openldap connections now it seems to be supporting 64 connections.

Ram.S

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions