[wellylug] LDAP info

[Cliff Pratt]

Ah, I wondered if they had all gone racing down the wrong track (at
least partially) when they mentioned Samba. Samba is not after all an
*authentication* tool, but it does provide some authentication (usually 
to authenticate Winders users to Unix resources).

I'd say that unless you have a lot of time, your best approach would be 
to use PAM to control access to Unix servers LDAP servers and 
consolidate all Unix authentication on those. Then expand from there.

I'm sure you could use Windows AD's LDAP facilities to do this (with the 
AD acting simply as an LDAP datastore for Unix, but I've never done it 
so I don't know how hard it would be.

AD + Exchange does give a 'single signon' for mail, shares and so on, 
but it sounds OTT for your setup which seems from your description to be 
fairly small.

I'd go for controlling and centralising the Unix signons via PAM/LDAP, 
and then see what you can do to pull the rest in. Your mail clients 
should be able to use LDAP. I'm not sure why you are using signon for 
squid - any reason for that? Unless you want to control what they do and 
see on the Internet there's probably no reason for it.

It's probably a dream to have a single signon for *everything*. Not 
everything supports LDAP authentication.

Cheers,

Cliff

nic wrote:
> There's a bunch of users with Windows desktops, a Windows 2003 
> server, a Linux box with postfix and squid, people currently have 
> separate passwords for logging on to Windows, in to mail, and on to 
> squid. In addition some people have passwords for specialised network
>  devices, and/or browser-based apps on some apache servers (typically
>  written in PHP or Python, with source available), PPTP access and 
> probably a million other things I've forgotten.
> 
> LDAP is the thing that comes to mind when I think about ways of 
> trying to manage this complexity and move towards a single sign on, 
> (preferably using PKI rater than passwords, but that's another step).
>  Trouble is, I don't really even know the questions to ask to get me
>  on the way, hence the ill-defined nature of the original post.
> 
> Does LDAP sound like the right type of tool to use in this case? Is 
> it better to use the Windows AD LDAP, or a separate server? Am I 
> being naive in thinking it would be possible to get down to a single
>  authentication system and a single password/key for the majority of
>  users? has anyone out there done this sort of thing and are they 
> willing to sell/give some advice?
> 
> Nic
> 
> Cliff Pratt wrote:
>> nic wrote:
>>> Hi people
>>> 
>>> What's a good book (or other info) on how to implement LDAP for 
>>> enterprise authentication? I'm particularly interested in how to
>>>  tie it in with Windows
>>> 
>> Windows Active Directory contains an LDAP server. Do you want to 
>> use that for authentication? Or do you want to authenticate Windows
>>  users using LDAP in a workgroup situation?
>> 
>> Cheers,
>> 
>> Cliff
>> 
>> 
> 
>