Authenticating Against Ldap On Windows, Linux And Mac

[TheWeapon]

Hi there!

I'm working for a faculty at my university. Students of that faculty used to have their own logins at that faculty's network, rather than using the general logins that all students get when they start their studies here. In order to decrease workload and to get rid of redundancy, my boss now wants to do just that.

He gave me the task of finding out how to read info from a Novell eDirectory Server that supports LDAP queries and use that info to log the user in locally and assign him his home directory that is located on a server in the university's data center.

The server in the data center is running Suse Linux Enterprise Server and Novell Open Enterprise Server, which includes eDirectory, iManager (HTML management console for eDirectory) and an LDAP server.

I have set up a test environment with the above mentioned software on an ESX Server.

Can someone give me some useful sources of information on this issue? Google didn't return very useful stuff. I'm apaologizing that my Post is written in a very general fashion rather than asking specific questions, but I have to get into that stuff a little bit first for specific questions to arise.

Maybe there are some experienced sys admins here, that could give me good advice.

Your help is greatly appreciated! Thank you in advance!

P.S. Sorry for my English, it's not my native language.

[Sparda]

On not-Windows authentication through LDAP is quite simple, install the LDAP libraries then reconfigure the pam configurations http://ldots.org/ldap/

Amazingly on Windows LDAP authentication it is also easy. Install and configure pGina. Though it does replace a chunk of the Windows authentication with it's own stuff so depending on what method of authentication is currently used it my brake that. Basically the way pGina works is when valid LDAP credentials are provided it creates a new local account for that user with the password that user provided, then uses normal Windows local authentication to login.

[TheWeapon]

Thank you! That already helped me a lot.

[TheWeapon]

Okay, I ran into some problems. It seems like the data center's LDAP Server is not set up in a way for authentication to be possible. For that reason, my boss and I want to have a talk with those guys in the data center.

What should I ask them and what should I tell them about the setup of the LDAP server? Currently, when I access o=[name of university], ou=user on the directory, only few information about the users is visible such as login name and email address, but no password hashes. I guess those are needed for authentication. Is it possible at all to view such sensitive information when reading the directory anonymously?

[Kreyszig]

Okay, I ran into some problems. It seems like the data center's LDAP Server is not set up in a way for authentication to be possible. For that reason, my boss and I want to have a talk with those guys in the data center.

What should I ask them and what should I tell them about the setup of the LDAP server? Currently, when I access o=[name of university], ou=user on the directory, only few information about the users is visible such as login name and email address, but no password hashes. I guess those are needed for authentication. Is it possible at all to view such sensitive information when reading the directory anonymously?

At least for the OSes which uses pam_ldap you shouldn't need read-access to the userPassword attribute to authenticate, as the authentication is done through the ldap bind operation, where validating the dn/password combination is done at the ldap server and not the client.

Regardless, I'd suggest talking to the guys that manage the ldap-directory about what you want to do. You're probably also going to want user account information (equivalent of what you'll find in /etc/{passwd,shadow,group}. We've used the posixAccount, posixGroup and shadowAccount object-classes for this (and hopefully this is available, or at least something similar), which you're going to need read-access in some way (anonymous, or through some administrative/machine account).

As for things regarding linux (and most likely other unixes) and ldap to look up on google and manpages: pam, pam_ldap, nss and nss_ldap.