Mailinglist Archive: opensuse (1840 mails)
| < Previous | Next > |
Re: [opensuse] Re: openSUSE windows Active Directory and OU=
- From: Ralf Haferkamp <rhafer@xxxxxxx>
- Date: Wed, 2 Dec 2009 15:39:34 +0100
- Message-id: <200912021539.34361.rhafer@xxxxxxx>
Am Mittwoch 02 Dezember 2009 15:09:27 schrieb Roger Oberholtzer:
and were allowed to make changes there. Assuming that there is no way to
restrict login with winbind to a specific OU (I don't think there is one,
until winbind has some support for Group Policies, but that would require some
administrative changes on the AD Server as well) I don't know a way to solve
your problem. You could probably ask on the samba Mailinglist:
https://lists.samba.org/mailman/listinfo/samba
(You could of course switch to pam_ldap/nss_ldap but I would try to avoid that
when using AD)
--
Ralf
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
On Wed, 2009-12-02 at 14:57 +0100, Ralf Haferkamp wrote:Ok, I was (wrongly) assuming that you had administrative rights on the AD
Am Mittwoch 02 Dezember 2009 14:51:33 schrieb Roger Oberholtzer:
On Wed, 2009-12-02 at 14:20 +0100, Ralf Haferkamp wrote:
I see that the Ldap DN record will probably look like this:
CN=roropq,OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC
where CN= will obviously differ for all, but I think the rest will
be the same. As you move to the left in the OU= list, the scope
narrows. It is OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC that I want to
restrict login to.
I understood. AFAIK this is currently not possible with winbind. I
just learned however that you can restrict login based on
groupmembership. Please have a look at the require_membership_of
option for pam_winbind in the pam_winbind man-page. That way, if you
put all the desired users into one group you could restrict login to
be allowed only to members of that group.
Which begs the question:
How, in this context, do I put all users in the same group?
I am not sure if I understand you problem. But I would use the Windows
MMC to create a new group (e.g. linux-user) and make all the desired
users members of that group. Is there a problem with that?
Yes. The AD is company-wide, with thousands of members. They do not let
folk play with it.
and were allowed to make changes there. Assuming that there is no way to
restrict login with winbind to a specific OU (I don't think there is one,
until winbind has some support for Group Policies, but that would require some
administrative changes on the AD Server as well) I don't know a way to solve
your problem. You could probably ask on the samba Mailinglist:
https://lists.samba.org/mailman/listinfo/samba
(You could of course switch to pam_ldap/nss_ldap but I would try to avoid that
when using AD)
Linux has to use the AD as it is. I think this is the way it usually is in
an organization of any size.
In fact, they use the Novell Client for Windows for login. Perhaps there
is something that can be used from that? So far, I have not come across
anything. It seems the AD is the only authentication route available.
--
Ralf
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |