Welcome to the Linux Foundation Forum!

how to authenticate domain users to openldap

oldman
oldman Posts: 2
in Network Management

I think this question has been asked by many people but I still can't seem to find the answer for it. I would like to have my Windows Active Directory users, either logon to the domain using desktop or Termainal server, to authenticate to an Openldap server so that they can access resource on the linux machines. I tried Microsoft's Service for Unix but it only support NIS or password file synchronization.

Thanks

Comments

  • mfillpot
    mfillpot Posts: 2,177
    Are you using LDAP or active directory for user control and what OS are the users using to access the resources?
  • oldman
    oldman Posts: 2
    We have two directory services, Active Directory and Openldap. Active Directory is responsible for Windows resources and Openldap is responsible for Linux resource. My intention is to allow Windows users, which logon to the Windows domain through their Windows desktops or Terminal server, to be able to access the resources on the linux servers.

    Thanks
  • mfillpot
    mfillpot Posts: 2,177
    It sounds like the approach is off, you will want to synchronize your openldap database with the active directory database. I have not tried this yet, but I did find information about the LSC project (http://lsc-project.org/wiki/about/start) which sounds promising for your needs.
  • gomer
    gomer Posts: 158
    Or, you can always do away with the OpenLDAP server altogether. Why run 2 different LDAP directories, and try to synchronize them? PAM already support authenticating against LDAP and again Kerberos. AD is essentially both of those things. If you are not comfortable configuring PAM and Samba to work with AD, there is a company that provides software for that (there is an OSS edition) called Likewise. I've used that in the past with great success. It will allow AD users to log into Linux machines, and will even create their Home Dirs, etc. This will eliminate the need to keep 2 directories, and the concerns that arrise from trying to keep things synchronized.

    just my $0.02
  • mfillpot
    mfillpot Posts: 2,177
    Great input adam, I will have to try likewise to see how it works.
  • uminds
    uminds Posts: 1
    It's not my decision of having 2 directories, it is just that we have two group of users, liunx and windows and they need their directory server and they are managed by different groups of admin. The idea is that we are looking for SSO solution (at least from the Windows perspective). I looked at likewise as well but that is using AD as the directory source which doesn't work in our situation.
  • gomer
    gomer Posts: 158
    Having 2 Directories is in fact contradictory to SSO. You either have SSO and everyone's accounts live ina single location, or you have multiple user repositories, and take on the administrative nightmare.

    For example, where I work, we use AD for user authentication. The AD stuff is accessible via MANY protocols, I have Kerberose, LDAP, Cisco TACACS+, RADIUS, PEAP, EAP-TLS, etc, but they all back end on the same database of users in Active directory. That's SSO.

    The only other thing you can do, that I can think of, is that if the resources in question are accessible via the WEB, you can try to implement Security Assertion Markup Language (SAML), but that scares the heck out of me. You could also, with some hacking try to make that work with PAM. To best of my knowledge there is no current SAML plugin for PAM, but I had been toying with the idea of writing one (as much as SAML scares me).
  • Unknown
    Unknown

    Configuration

    First enable the LDAP user and group backend app on the Apps page in ownCloud. Then go to your Admin page to configure it.

    The LDAP configuration panel has four tabs. A correctly completed first tab (“Server”) is mandatory to access the other tabs. A green indicator lights when the configuration is correct. Hover your cursor over the fields to see some pop-up tooltips.

    Server Tab

    Start with the Server tab. You may configure multiple servers if you have them. At a minimum you must supply the LDAP server’s hostname. If your server requires authentication, enter your credentials on this tab. ownCloud will then attempt to auto-detect the server’s port and base DN. The base Dynamic DNS and port are mandatory, so if ownCloud cannot detect them you must enter them manually.

Categories

Upcoming Training