I'm trying to find information on using LDAP to authenticate at a client site. I have found docs: ... for using LDAP for login (w/ PAM and NSS) ... for authenticating SAMBA (w/ ldapsam stuff) ... for use with postfix and courier However, these all use different schema and different trees of the LDAP hierarchy. It seems to me that lots of people would have unified all these methods so that users have a single id and password for all and that changing the password for one will change them for all. I realize that SAMBAs passwords are a bit different, so if we had to write an app that would change the "standard password" and the "samba password(s)" we could probably live with that. If anyone knows of docs or howtos on the net that address this issue, please let me know. Thanks! -- -M There are 10 kinds of people in this world: Those who can count in binary and those who cannot.
Hi Michael, Yes, LDAP implementation is very piecemeal and specific, but that is because many different systems have different information to store. I've done several LDAP implementations. What Directory Service are you using? OpenLDAP, or something like Novell eDirectory or Active Directory? This address is a good starting point for all things LDAP: http://www.kingsmountain.com/ldapRoadmap.shtml For PostFix, you can do it using PAM: http://sapiens.wustl.edu/~sysmain/info/postfix/postfix_configure.html In terms of SAMBA, if you are using Active Directory as your LDAP server, you can use winbind to authenticate using Kerberos. Otherwise, users and computers have to use a separate ldap class. Microsoft doesn't follow LDAP RFC standards in this regard, unfortunately (embrace and extend, baby). There are samba tools out there already that will do the password synching for you (look for smbldap-tools). Most of my implementations use eDirectory, which uses the Universal Password feature (it has like 16 different login methods, from MD5 to X.509 certificates, but they all use a common password store. Very cool). That costs $$$ tho, not as much as you may think however. ______________________________ Justin Grote Network Architect, CCNA JWG Networks Email: nospam-justin@grote.name (remove nospam-) SMS: nospam-rastan@vtext.com (remove nospam-) Phone: (208) 631-5440 ------------------------------ Original Message Follows ------------------------------ MG> I'm trying to find information on using LDAP to authenticate at a client site. MG> I have found docs: MG> ... for using LDAP for login (w/ PAM and NSS) MG> ... for authenticating SAMBA (w/ ldapsam stuff) MG> ... for use with postfix and courier MG> However, these all use different schema and different trees of the LDAP MG> hierarchy. MG> It seems to me that lots of people would have unified all these methods so MG> that users have a single id and password for all and that changing the MG> password for one will change them for all. MG> I realize that SAMBAs passwords are a bit different, so if we had to write an MG> app that would change the "standard password" and the "samba password(s)" we MG> could probably live with that. MG> If anyone knows of docs or howtos on the net that address this issue, please MG> let me know. MG> Thanks! MG> -- MG> -M MG> There are 10 kinds of people in this world: MG> Those who can count in binary and those who cannot.
On Thu, Aug 12, 2004 at 11:17:08AM -0600, Justin Grote wrote:
Yes, LDAP implementation is very piecemeal and specific, but that is because many different systems have different information to store. I've done several LDAP implementations.
What Directory Service are you using? OpenLDAP, or something like Novell eDirectory or Active Directory?
We're using OpenLDAP.
This address is a good starting point for all things LDAP: http://www.kingsmountain.com/ldapRoadmap.shtml
For PostFix, you can do it using PAM: http://sapiens.wustl.edu/~sysmain/info/postfix/postfix_configure.html
This is on a BSD server, so PAM isn't an easy route to go. I've found an article from Linux Journal that outlines it, but it's PostFix 1.1.x. I have 2.x to work with, but hopefully they will be quite similar.
In terms of SAMBA, if you are using Active Directory as your LDAP server, you can use winbind to authenticate using Kerberos. Otherwise, users and computers have to use a separate ldap class. Microsoft doesn't follow LDAP RFC standards in this regard, unfortunately (embrace and extend, baby). There are samba tools out there already that will do the password synching for you (look for smbldap-tools).
Hmm, that's interesting, I'll have to look into those tools. They might make things much easier. Thanks for the response! -- -M There are 10 kinds of people in this world: Those who can count in binary and those who cannot.
This is on a BSD server, so PAM isn't an easy route to go.
Then why are you posting to a SuSE list? :) Just Kidding. Without PAM your LDAP experience is going to be a lot more painful. PAM is a genious concept by those guys from Sun. Without PAM, every application you want to use LDAP with has to explicitly have LDAP support, and not only for lookups, but for authentication as well. Fortunately, Postfix does support SASL authenitcation through LDAP (fancy SMTP authentication), but an article about it escapes me. It's most likely in the postfix docs. ______________________________ Justin Grote Network Architect, CCNA JWG Networks Email: nospam-justin@grote.name (remove nospam-) SMS: nospam-rastan@vtext.com (remove nospam-) Phone: (208) 631-5440 ------------------------------ Original Message Follows ------------------------------ MG> On Thu, Aug 12, 2004 at 11:17:08AM -0600, Justin Grote wrote:
Yes, LDAP implementation is very piecemeal and specific, but that is because many different systems have different information to store. I've done several LDAP implementations.
What Directory Service are you using? OpenLDAP, or something like Novell eDirectory or Active Directory?
MG> We're using OpenLDAP.
This address is a good starting point for all things LDAP: http://www.kingsmountain.com/ldapRoadmap.shtml
For PostFix, you can do it using PAM: http://sapiens.wustl.edu/~sysmain/info/postfix/postfix_configure.html
MG> This is on a BSD server, so PAM isn't an easy route to go. I've found an MG> article from Linux Journal that outlines it, but it's PostFix 1.1.x. I have MG> 2.x to work with, but hopefully they will be quite similar.
In terms of SAMBA, if you are using Active Directory as your LDAP server, you can use winbind to authenticate using Kerberos. Otherwise, users and computers have to use a separate ldap class. Microsoft doesn't follow LDAP RFC standards in this regard, unfortunately (embrace and extend, baby). There are samba tools out there already that will do the password synching for you (look for smbldap-tools).
MG> Hmm, that's interesting, I'll have to look into those tools. They might make MG> things much easier. MG> Thanks for the response! MG> -- MG> -M MG> There are 10 kinds of people in this world: MG> Those who can count in binary and those who cannot.
participants (2)
-
Justin Grote
-
Michael George