Solved

Authenticate Window 2008r2 agianst Unix Domain LDAP

Posted on 2014-11-24
5
270 Views
Last Modified: 2015-01-26
My organization has a Unix Domain which runs an LDAP for authentication.  We also have a couple of tools that run on Windows platforms only.  Currently one of those tools is going through an update and the customer is looking to fully integrate this box into the network to include authentication.  Any suggestions would be welcome as to how to do this.

Tech details.

Windows Server 2008r2 Standard server.  Not running AD - the customer does not want AD at this time.  Most of the backbone network is run on Solaris machines serving data to Mac clients.  Users authenticate through the LDAP which includes all attributes of their positions and responsibilities.  I.E. the admins have an Admin flag on their accounts.  Limited use  of groups etc.
0
Comment
Question by:Campbelldw
  • 2
  • 2
5 Comments
 
LVL 4

Expert Comment

by:popesy
ID: 40463967
Hi

It's been a little while since I did LDAP stuff, but here goes;

I think Windows uses the LDAP protocol in AD anyway (just windows-ized); have you tried joining the domain as you would for joining a windows server to a windows domain (r-click computer > properties > etc..)?

Sounds like you may want to check out the SAMBA suite too (https://wiki.samba.org/), this helps Unix understand windowsy stuff.  I've done the opposite way around (UNIX to AD) and SAMBA works great for that.  Again, I am not sure if you need it, but there is a Unix service for windows that I used for Unix to AD.

Feed back and we'll try to nail it!

Cheers, JP.
0
 

Author Comment

by:Campbelldw
ID: 40465048
Alright, so joining the Unix/Linux domain is pretty straight forward.  What about authenticating accounts?  Can the user authenticate directly from the LDAP, same as in an Active Directory Domain, or does there have to be an individual account on the Windows machine which then reaches back to the LDAP?
0
 
LVL 4

Expert Comment

by:popesy
ID: 40466538
Hi

My understanding is that you would need that user defined in LDAP only.

In the past, doing this the opposite way around, it has always been the case that the account will be in the LDAP. Provided you can tell the Windows box to use the LDAP as the auth mechanism you should be good.   In a Unix you can define both local and remote authentication methods i.e. check local 1st, remote (LDAP/AD) 2nd) , however if you have accounts with the same name that is a problem!

I'm thinking there's probably some registry key setting to define what authentication mechanism gets used...hmm

Cheers, JP.
0
 
LVL 6

Accepted Solution

by:
Rob G earned 500 total points
ID: 40467558
I have tried this..
It doesn't work..
In 2k3 or prior it works without an issue..
In 2k8 you can modify the registry and use parts from the 2k3 OS to get it to work.
In 2k8R2 it simply does not work.. (Samba is not supported) (CIFS is)

You have really two, possibly three options, they all suck,  
1. You install a single sign on application that can talk to both AD and Pure LDAP.
Computer associates makes one, which is part of the Etrust software (works with Sun Directory)
2. You can setup a secondary Domain Controller (AD) and use that to replicate the data from the LDAP server to the AD side and use that to log into the windows servers.
3. You can see if you can get Kerberos to work, as long as the Unix side supports kerberos version 5.x or better, it should work.. (Microsoft indicates this still requires an AD server with trusts)
0
 

Author Closing Comment

by:Campbelldw
ID: 40571091
While not an ideal solution, it is about what was expected.  I have been trying to find another solution but have been unable to.  I appreciate your contributions.

Respectfully,

Dan
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
dot directory in FreeBSD??? 4 73
Can I delete authorized_keys in FreeBSD 1 78
Linux hostname change 2 55
aix unix tar error 3 43
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now