Pretty please? Need LDAP/Windows integration help
Ansar Mohammed
ansarm-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Wed Jun 4 18:19:37 UTC 2008
Your limitations here is that Exchange cannot use anything other than AD.
So there are several ways to skin the proverbial cat. They are placed in order of increased complexity (very subjective)
1. Web Password set: Put up a simple web page that runs on the UNIX system that can allow the end user to change their password on UNIX as well as Windows (LDAP)
This is this simplest solution. Sample code to change password on Windows via LDAP is here.
http://support.microsoft.com/kb/269190/en-us
You will need to maintain separate accounts on Windows and UNIX.
2. SFU Password Synch: SFU 3.5 has a built in feature that allows you to synch Windows passwords with password files. Its not to difficult to setup http://technet.microsoft.com/en-us/library/bb463208.aspx but you will need to maintain separate accounts on Windows and UNIX.
3. NIS: Turn Active Directory into an NIS server using the SFU 3.5 (its free). This will allow you to configure the UNIX machines for NIS authentication directly onto Windows. You can now create user accounts on Windows and set the user's home directory, shell, group, etc (no pun) on AD.
http://technet.microsoft.com/en-us/interopmigration/bb380242.aspx. You will have to be tolerable of NIS's security flaws to implement this. (I demoed this at the TLUG meeting at IBM)
3. LDAP for Authz/Authn. Install nss_ldap (or pam_ldap) on Linux and configure it to authenticate to Active Directory. You will need the admin tools from the SFU to set the RFC 2307 attributes via the Active Directory UI. This is considerably more secure than the previous option but a bit more complex as you will need to have the nss_ldap and pam_ldap libraries installed on Linux. Note here you are using LDAP as an authentication protocol so many security guys don’t like this.
4. Use Kerberos for authn, LDAP for authz. The most complex but very secure, and very cool solution but a PITA to get to work. http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/
5. The Metadirectory Way: Use a product like ILM (http://www.microsoft.com/windowsserver2003/technologies/idm/ilm.mspx) DirXML (http://www.novell.com/products/identitymanager/). It will work but this is like using a bulldozer to make a sand castle in your situation.
HTH
> -----Original Message-----
> From: owner-tlug-lxSQFCZeNF4 at public.gmane.org [mailto:owner-tlug-lxSQFCZeNF4 at public.gmane.org] On Behalf Of Evan
> Leibovitch
> Sent: June 2, 2008 9:56 PM
> To: tlug-lxSQFCZeNF4 at public.gmane.org
> Subject: [TLUG]: Pretty please? Need LDAP/Windows integration help
>
> Hi all.
>
> I'm in a tizzy trying to figure out how to solve this problem.
>
> A user has two mail servers now:
>
> 1) the Linux one that they've loved for years (postfix / courierIMAP /
> spamassassin / maia / squirrel / postgrey) that has been running the
> whole place reliably for years;
>
> 2) The WindowsServer2003 box that they've had to install because to
> service the push-mail functions of their Blackberry-toting staff
> (Exchange / BEX) -- it's a long story, but they had no choice.
>
> The Linux box will still receive all incoming mail, but stuff destined
> for the handful of blackberry users will be forwarded to the BEX box.
> That part is easy. The hard part (to me) is figuring out to do a single
> sign-on to both servers.
>
> Do we maintain the accounts on the Windows box and have the Linux
> system
> authenticate to that? Or is there a way for the Windows system to
> authenticate against OpenLDAP on the Linux box? We've been looking at
> all sorts of solutions, involving everything from Samba to Microsoft's
> Unix Tools for Windows.
>
> On the web there are plenty of docs on how to integrate LDAP with
> Postfix and Courier, and one on how to authenticate Windows boxen to
> Samba, but nothing that puts it all together.
>
> Any pointers or hints would really really be appreciated. This is
> driving me nuts. Just getting immersed into LDAP has been enough of a
> headache, let alone all this other stuff.
>
> - Evan
> --
> The Toronto Linux Users Group. Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list