[sllug-members]: LDAP and Windows

Lamont R. Peterson lamont at gurulabs.com
Thu Sep 7 09:45:12 MDT 2006 

On Thursday 07 September 2006 07:24am, goozbach at brooks.netradius.com wrote:
> On Tue, Sep 05, 2006 at 11:38:45AM -0600, Lamont R. Peterson wrote:
> > On Monday 04 September 2006 09:28pm, Adam Barrett wrote:
> > > I just starting looking into maintaining my users globally on my
> > > network, and I was wondering, LDAP looks to be the best way to handle
> > > users and logins for the whole, network, will it also support my
> > > windows logins? Pros and cons?
> >
> > Install pGina [ http://www.pgina.org/ ] on your Windows boxes.  It's a
> > GPL (IIRC) open source replacement gina for Windows (works with
> > everything from Win95 - XP & Server 2003).  The "gina" is the equivalent
> > of a display manager's greeter for UNIX.  The gina does the
> > authentication.  pGina uses the exact same LDAP configuration that you
> > use for UNIX/Linux/BSD systems for authentication.  You don't have to
> > change anything in your LDAP setup.
> >
> > We used pGina around here for a long time and it worked great (we do have
> > to keep a couple of Windows boxes around for testing purposes and so
> > forth). For nearly 2 years now, though, we've been Kerberized, so we
> > don't use pGina much, anymore.
>
> I ditto pGina, however there is another alternative if you're feeling
> ambitious. LDAP integrated with Kerberos. It's quite a bit harder
> initally however with the Kerberos server, you don't have to modify the
> windows clients

That would be a better way to go in the long run, especially for the 
convenience of single-sign-on.

However, it does require two microscopic modifications to your windows clients 
(at least, it did for us here at Guru Labs).  As I understand it, you have to 
update one DLL (IIRC) file and make one tiny alteration to a single Registry 
key.  But that's it.

Oh, and if you want your Windows boxes to use Kerberos authentication with 
Samba servers (instead of using SMB, which is very "not safe"), make sure all 
your Samba servers are running version 3.0.20 or later.  As it's been a while 
since that came out (more than year), I'm sure most currently maintained 
distributions are at 3.0.20 or later.
-- 
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]

NOTE:  All messages from this email address should be digitally signed with my
       0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as
       well as other keyservers that sync with MIT's.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://sllug.org/pipermail/sllug-members/attachments/20060907/19a7e24c/attachment.pgp

More information about the sllug-members mailing list