Solved

Authenticate Window 2008r2 agianst Unix Domain LDAP

Posted on 2014-11-24
5
276 Views
Last Modified: 2015-01-26
My organization has a Unix Domain which runs an LDAP for authentication.  We also have a couple of tools that run on Windows platforms only.  Currently one of those tools is going through an update and the customer is looking to fully integrate this box into the network to include authentication.  Any suggestions would be welcome as to how to do this.

Tech details.

Windows Server 2008r2 Standard server.  Not running AD - the customer does not want AD at this time.  Most of the backbone network is run on Solaris machines serving data to Mac clients.  Users authenticate through the LDAP which includes all attributes of their positions and responsibilities.  I.E. the admins have an Admin flag on their accounts.  Limited use  of groups etc.
0
Comment
Question by:Campbelldw
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 4

Expert Comment

by:popesy
ID: 40463967
Hi

It's been a little while since I did LDAP stuff, but here goes;

I think Windows uses the LDAP protocol in AD anyway (just windows-ized); have you tried joining the domain as you would for joining a windows server to a windows domain (r-click computer > properties > etc..)?

Sounds like you may want to check out the SAMBA suite too (https://wiki.samba.org/), this helps Unix understand windowsy stuff.  I've done the opposite way around (UNIX to AD) and SAMBA works great for that.  Again, I am not sure if you need it, but there is a Unix service for windows that I used for Unix to AD.

Feed back and we'll try to nail it!

Cheers, JP.
0
 

Author Comment

by:Campbelldw
ID: 40465048
Alright, so joining the Unix/Linux domain is pretty straight forward.  What about authenticating accounts?  Can the user authenticate directly from the LDAP, same as in an Active Directory Domain, or does there have to be an individual account on the Windows machine which then reaches back to the LDAP?
0
 
LVL 4

Expert Comment

by:popesy
ID: 40466538
Hi

My understanding is that you would need that user defined in LDAP only.

In the past, doing this the opposite way around, it has always been the case that the account will be in the LDAP. Provided you can tell the Windows box to use the LDAP as the auth mechanism you should be good.   In a Unix you can define both local and remote authentication methods i.e. check local 1st, remote (LDAP/AD) 2nd) , however if you have accounts with the same name that is a problem!

I'm thinking there's probably some registry key setting to define what authentication mechanism gets used...hmm

Cheers, JP.
0
 
LVL 6

Accepted Solution

by:
Rob G earned 500 total points
ID: 40467558
I have tried this..
It doesn't work..
In 2k3 or prior it works without an issue..
In 2k8 you can modify the registry and use parts from the 2k3 OS to get it to work.
In 2k8R2 it simply does not work.. (Samba is not supported) (CIFS is)

You have really two, possibly three options, they all suck,  
1. You install a single sign on application that can talk to both AD and Pure LDAP.
Computer associates makes one, which is part of the Etrust software (works with Sun Directory)
2. You can setup a secondary Domain Controller (AD) and use that to replicate the data from the LDAP server to the AD side and use that to log into the windows servers.
3. You can see if you can get Kerberos to work, as long as the Unix side supports kerberos version 5.x or better, it should work.. (Microsoft indicates this still requires an AD server with trusts)
0
 

Author Closing Comment

by:Campbelldw
ID: 40571091
While not an ideal solution, it is about what was expected.  I have been trying to find another solution but have been unable to.  I appreciate your contributions.

Respectfully,

Dan
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever had a hard drive that you can't boot into, but need to change the registry? Here is the solution! This article guides you through accessing and editing a registry of a non-primary drive. To read registry information on a non-prim…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question