OpenLDAP with Linux and Windows

Using LDAP to manage user authentication in computer labs at the University of Verona.
______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: OpenLDAP with Linux and Windows

Anonymous's picture

What about synchronizing OpenLDAP and Windows2000

schema? The differents of their schemes prevent to copy

ActiveDirectory tree in LDBM database and vice versa.

Re: OpenLDAP with Linux and Windows

Anonymous's picture

Very nice. But, for use a windows2000 server with ldap server and my linux stations for conect them?

How to make it?

Thanks

Re: OpenLDAP with Linux and Windows

Anonymous's picture

VERY easy.

Active Directory uses DNS and LDAP v2 and v3. Just run ldap clients on the Linux machines. Bam, you got yourself Linux workstations authenticating to a Windows 2000 domain controller. How's that for surreal?

Easier installation

Anonymous's picture

The RH Server Development Project has a package that will do alot of the "hardwork" for you and set up a samba PDC with LDAP + the webmin frontend

http://rhems.sourceforge.net/

its allmost too easy

Or just use Mandrake ...

Anonymous's picture

Mandrake RPMs of 2.2.5 for Mandrake 8.x built with LDAP support are available on ftp.samba.org.

The RPMs in cooker have everything but the webmin frontend running (but by default are not compiled with ldap support, just do 'rpm --rebuild --with ldap' to get it).

RPMs for 8.x will be updated soon ...

Of course, for anything later than 8.1 that also means you get ACLs, nss_wins and winbind out the box ...

Still have some work to do tracking down the webmin module.

Re: Easier installation

Anonymous's picture

Anonymous, you deserve a kiss. ;-) Thank you so much.

/P

the need for TNG ?

Anonymous's picture

As others have said samba supports LDAP quite well.

however, from my similar setup, It looks like TNG is needed to handle domain groups.

groups of users on the domain seems to have very limited support in the main samba (so far).

for example allowing a group of users to access a share on a server in the domain.

I think this is only possible in TNG with ACL's

If im wrong please email me

dmiller at judcom.nsw.gov.au

No ACLs in TNG

Anonymous's picture

AFAIK, there aren't ACLs in TNG, and for what you want to accomplish (use domain groups on the server), you don't need domain groups, since LDAP does that for you.

The only place domain groups are useful, are on the windows boxen, and this can be accomplished (though I am not sure with LDAP) using some tools from samba-3alpha on a samba-2.2.x domain controller (it was smbgroupedit, it might have changed).

samba-2.2.x of course supports posix acls with xfs or ext2/3+betbits patch.

Re: OpenLDAP with Linux and Windows

Anonymous's picture

Is there anyone who has normal Samba 2.2.x working in simmilar scenario ?

Re: OpenLDAP with Linux and Windows

Anonymous's picture

Yes we have it working. At the Brigham Young University, both the CS Department and the Chemistry Department are using LDAP to drive Samba HEAD 2.2.2 Domain controllers to server windows domains. Works great. No probs at all, except for the caveat that machines joined to the domain have to exist in the local password file of the domain controller, and not in ldap because for some reason pam cannot find any unames like 'machine1$' in ldap. Other than that users are all there in LDAP. We use kerberos for authentication on our unix machines and LDAP integration with kerberos will soon be pretty tight. We're still working on some good password synchronization tools.

In the chem department, we actually have three different domains (3 samba 2.2.2 pdcs) serving from one LDAP database source. We use LDAP filters in the smb.conf file to limit domain access to particular gidNumbers. Very nice indeed.

You can contact me with questions at torriem at byu dot edu.

cheers,

Michael Torrie

Re: OpenLDAP with Linux and Windows

Anonymous's picture

idealx.org has got a project like this going on...

http://samba.idealx.org

btw. what i would really like if being able to combine one of these approaches with "that dreaded exchange server"

Re: OpenLDAP with Linux and Windows

Anonymous's picture

That would be interesting ....

How could we do that ..............

samba 2.2.x works fine

Anonymous's picture

Samba 2.2.x has supported LDAP for quite some time, plus, you get a lot of features that are not available in samba-tng, such as ACLs, downloadable print drivers etc.

Plus, I don't think the schema for samba-tng is compatilbe with samba HEAD cvs (which will become 3.0).

Also, you might want to have samba use SSL or TLS for it's LDAP connections, otherwise you are sending windows password hashes across the network in clear text. These are easily cracked, and are password-equivalents. Of course, this mostly applies to the rest of the setup also if you don't use sasl.

But, my question now is, how would you handle linux laptops in this scenario. Windows laptops would work fine, having cached credentials from the DC, and probably having cached profiles also.

Re: OpenLDAP with Linux and Windows

Anonymous's picture

It's nice to see more people using the LDAP backend in Samba, however that only TNG and the 3.0 alpha branch support it is wholly incorrect. The "stable" branch of 2.2.x has supported it for quite a while (I don't remember when it first started appearing in the official tree, but I had patches working for it before 2.2.2). As it stands, the current stable version of Samba supports LDAP very well. There are some difference between what is described here and the 3.0 and 2.x versions, the most obvious (at least on my cursory glance) being how the ldap password is specified.

Suffice it to say, for those that don't want to use unstable, development, software but want the benefits of unified logins and passwords, can (and I recommend they) use the latest and greatest Samba 2.x for windows account management.

--Shahms

OpenLDAP and LDAP integration documentation

Anonymous's picture

I've made an extensive LDAP presentation and posted it at -

ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf

Greate Work, thx

Mk's picture

Thanks alot, great work. Let me see how fast I get into ;-)

Re: OpenLDAP and LDAP integration documentation

Anonymous's picture

This URL is prompting for a user id and password. Is there an open access to this?

Re: OpenLDAP and LDAP integration documentation

Anonymous's picture

I suggest to everyone, who think deal with ldap, read this great document. Thank you.

Re: OpenLDAP and LDAP integration documentation

Anonymous's picture

Really impressive, good work.

Re: OpenLDAP and LDAP integration documentation

Anonymous's picture

Perfect !!!, great presentation !!!!, Thanks.

Re: OpenLDAP and LDAP integration documentation

Anonymous's picture

Thank you, great work!

Doubt regarding connections

Anonymous's picture

Hi,

How can i increase the openldap connections now it seems to be supporting 64 connections.

Ram.S

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState