Re: [fw-wiz] My LDAP question (fwd)

From: Todd Underwood (todd@osogrande.com)
Date: 12/17/02


From: Todd Underwood <todd@osogrande.com>
To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com>
Date: Tue Dec 17 10:24:02 2002

ron, all,

On Mon, 16 Dec 2002, R. DuFresne wrote:

> I am trying to find out if its possible to use LDAP to authenticate
> multiple OS platforms without using W2k's Active Directory. I know that Mac
> OS X and other *NIX flavors can authenticate thru LDAP, what I need is for
> W2k to authenticate thru LDAP but without using the AD.
> Does anyone know if this is possible and if so what is the best way to go
> about it?

we do this, but not in this way. the best strategy that i'm currently
aware of is not to try to make w2k authenticate straight off of LDAP (we
couldn't get that to work and i'm not sure it's supposed to work) but
rather to run samba as a domain controller and have w2k authenticate off
of samba.

so it looks something like this:

--openldap configured with the samba schema somewhere on the network.

--samba 2.2 or greater running on an OS that supports nssldap and PAM:
see http://www.unav.es/cti/ldap-smb-howto.html for lots more detail.

--w2k and xp running in mixed authentication mode

so clients attach to the domain run by samba, samba proxies the
authentication to LDAP, but is able to get the LM hash right out of ldap
so there's no problem of unencrypted passwords on the lan (we're actually
doing this with messsy magic and synchronization to /etc/samba/smbpasswd
now, because of an older version of samba that didn't support this, but
it is *much* better if you can get the LM hash straight out of LDAP).

i find samba to be the best glue to cobble together mixed windows and
linux networks and still get all of them authenticating out of LDAP.

hope that's a useful direction.

-- 
todd underwood, sr. vp & cto
oso grande technologies, inc.
todd@osogrande.com


Relevant Pages

  • Re: ipfw plus authentication (authpf is cool but....)
    ... their ipaddress, mac address, workstation os, etc. in our ldap directory. ... gain network access is indeed belongs to that user. ... router first before being allowed to access any server. ... user will authenticate to a web based login form which is tied up ...
    (freebsd-questions)
  • Re: Trouble Authenticating users from trusted domains
    ... For the internal referrals, ... We have a new ERP system that can either authenticate with it's own user ... If you specify an LDAP server, ... >> login as a user from the child domain, ...
    (microsoft.public.win2000.active_directory)
  • RE: Cant authenticate to LDAP domain with Redhat9
    ... it is more used by the authconfig ... sure you can reach your ldap server with ldapsearch, ... Cant authenticate to LDAP domain with Redhat9 ...
    (RedHat)
  • Re: Anonymous LDAP Access Problem
    ... Check the ADSI ... I need to authenticate using LDAP and I still am having some problems. ... which works when that is a domain account, but does not when that account ...
    (microsoft.public.windows.server.active_directory)
  • Re: LDAP madness! - FIXED (I think)
    ... I have gotten Samba to work with LDAP before; ... > schema of attributes for which it looks for to authenticate and they are ... Pete. ...
    (Debian-User)