Solved

Authenticate Window 2008r2 agianst Unix Domain LDAP

Posted on 2014-11-24
5
274 Views
Last Modified: 2015-01-26
My organization has a Unix Domain which runs an LDAP for authentication.  We also have a couple of tools that run on Windows platforms only.  Currently one of those tools is going through an update and the customer is looking to fully integrate this box into the network to include authentication.  Any suggestions would be welcome as to how to do this.

Tech details.

Windows Server 2008r2 Standard server.  Not running AD - the customer does not want AD at this time.  Most of the backbone network is run on Solaris machines serving data to Mac clients.  Users authenticate through the LDAP which includes all attributes of their positions and responsibilities.  I.E. the admins have an Admin flag on their accounts.  Limited use  of groups etc.
0
Comment
Question by:Campbelldw
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 4

Expert Comment

by:popesy
ID: 40463967
Hi

It's been a little while since I did LDAP stuff, but here goes;

I think Windows uses the LDAP protocol in AD anyway (just windows-ized); have you tried joining the domain as you would for joining a windows server to a windows domain (r-click computer > properties > etc..)?

Sounds like you may want to check out the SAMBA suite too (https://wiki.samba.org/), this helps Unix understand windowsy stuff.  I've done the opposite way around (UNIX to AD) and SAMBA works great for that.  Again, I am not sure if you need it, but there is a Unix service for windows that I used for Unix to AD.

Feed back and we'll try to nail it!

Cheers, JP.
0
 

Author Comment

by:Campbelldw
ID: 40465048
Alright, so joining the Unix/Linux domain is pretty straight forward.  What about authenticating accounts?  Can the user authenticate directly from the LDAP, same as in an Active Directory Domain, or does there have to be an individual account on the Windows machine which then reaches back to the LDAP?
0
 
LVL 4

Expert Comment

by:popesy
ID: 40466538
Hi

My understanding is that you would need that user defined in LDAP only.

In the past, doing this the opposite way around, it has always been the case that the account will be in the LDAP. Provided you can tell the Windows box to use the LDAP as the auth mechanism you should be good.   In a Unix you can define both local and remote authentication methods i.e. check local 1st, remote (LDAP/AD) 2nd) , however if you have accounts with the same name that is a problem!

I'm thinking there's probably some registry key setting to define what authentication mechanism gets used...hmm

Cheers, JP.
0
 
LVL 6

Accepted Solution

by:
Rob G earned 500 total points
ID: 40467558
I have tried this..
It doesn't work..
In 2k3 or prior it works without an issue..
In 2k8 you can modify the registry and use parts from the 2k3 OS to get it to work.
In 2k8R2 it simply does not work.. (Samba is not supported) (CIFS is)

You have really two, possibly three options, they all suck,  
1. You install a single sign on application that can talk to both AD and Pure LDAP.
Computer associates makes one, which is part of the Etrust software (works with Sun Directory)
2. You can setup a secondary Domain Controller (AD) and use that to replicate the data from the LDAP server to the AD side and use that to log into the windows servers.
3. You can see if you can get Kerberos to work, as long as the Unix side supports kerberos version 5.x or better, it should work.. (Microsoft indicates this still requires an AD server with trusts)
0
 

Author Closing Comment

by:Campbelldw
ID: 40571091
While not an ideal solution, it is about what was expected.  I have been trying to find another solution but have been unable to.  I appreciate your contributions.

Respectfully,

Dan
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question