Re: My LDAP question (fwd)

[Todd Underwood <todd () osogrande com>]

ron, all,

On Mon, 16 Dec 2002, R. DuFresne wrote:

> I am trying to find out if its possible to use LDAP to authenticate 
> multiple OS platforms without using W2k's Active Directory. I know that Mac 
> OS X and other *NIX flavors can authenticate thru LDAP, what I need is for 
> W2k to authenticate thru LDAP but without using the AD.
> Does anyone know if this is possible and if so what is the best way to go 
> about it?

we do this, but not in this way.  the best strategy that i'm currently 
aware of is not to try to make w2k authenticate straight off of LDAP (we 
couldn't get that to work and i'm not sure it's supposed to work) but 
rather to run samba as a domain controller and have w2k authenticate off 
of samba.

so it looks something like this:

--openldap configured with the samba schema somewhere on the network.

--samba 2.2 or greater running on an OS that supports nssldap and PAM:  
see http://www.unav.es/cti/ldap-smb-howto.html for lots more detail.

--w2k and xp running in mixed authentication mode

so clients attach to the domain run by samba, samba proxies the 
authentication to LDAP, but is able to get the LM hash right out of ldap 
so there's no problem of unencrypted passwords on the lan (we're actually 
doing this with messsy magic and synchronization to /etc/samba/smbpasswd 
now, because of an older version of samba that didn't support this, but 
it is *much* better if you can get the LM hash straight out of LDAP).

i find samba to be the best glue to cobble together mixed windows and 
linux networks and still get all of them authenticating out of LDAP.

hope that's a useful direction.

-- 
todd underwood, sr. vp & cto
oso grande technologies, inc.
todd () osogrande com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards