Re: [fw-wiz] My LDAP question (fwd)
From: Todd Underwood (todd@osogrande.com)
Date: 12/17/02
- Next message: Brian A Kee: "RE: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Previous message: Miha Vitorovic: "Re: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- In reply to: R. DuFresne: "[fw-wiz] My LDAP question (fwd)"
- Next in thread: Devdas Bhagat: "Re: [fw-wiz] My LDAP question (fwd)"
- Reply: Devdas Bhagat: "Re: [fw-wiz] My LDAP question (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Todd Underwood <todd@osogrande.com> To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com> Date: Tue Dec 17 10:24:02 2002
ron, all,
On Mon, 16 Dec 2002, R. DuFresne wrote:
> I am trying to find out if its possible to use LDAP to authenticate
> multiple OS platforms without using W2k's Active Directory. I know that Mac
> OS X and other *NIX flavors can authenticate thru LDAP, what I need is for
> W2k to authenticate thru LDAP but without using the AD.
> Does anyone know if this is possible and if so what is the best way to go
> about it?
we do this, but not in this way. the best strategy that i'm currently
aware of is not to try to make w2k authenticate straight off of LDAP (we
couldn't get that to work and i'm not sure it's supposed to work) but
rather to run samba as a domain controller and have w2k authenticate off
of samba.
so it looks something like this:
--openldap configured with the samba schema somewhere on the network.
--samba 2.2 or greater running on an OS that supports nssldap and PAM:
see http://www.unav.es/cti/ldap-smb-howto.html for lots more detail.
--w2k and xp running in mixed authentication mode
so clients attach to the domain run by samba, samba proxies the
authentication to LDAP, but is able to get the LM hash right out of ldap
so there's no problem of unencrypted passwords on the lan (we're actually
doing this with messsy magic and synchronization to /etc/samba/smbpasswd
now, because of an older version of samba that didn't support this, but
it is *much* better if you can get the LM hash straight out of LDAP).
i find samba to be the best glue to cobble together mixed windows and
linux networks and still get all of them authenticating out of LDAP.
hope that's a useful direction.
-- todd underwood, sr. vp & cto oso grande technologies, inc. todd@osogrande.com
- Next message: Brian A Kee: "RE: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Previous message: Miha Vitorovic: "Re: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- In reply to: R. DuFresne: "[fw-wiz] My LDAP question (fwd)"
- Next in thread: Devdas Bhagat: "Re: [fw-wiz] My LDAP question (fwd)"
- Reply: Devdas Bhagat: "Re: [fw-wiz] My LDAP question (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
