Solved

Authenticate Window 2008r2 agianst Unix Domain LDAP

Posted on 2014-11-24
5
266 Views
Last Modified: 2015-01-26
My organization has a Unix Domain which runs an LDAP for authentication.  We also have a couple of tools that run on Windows platforms only.  Currently one of those tools is going through an update and the customer is looking to fully integrate this box into the network to include authentication.  Any suggestions would be welcome as to how to do this.

Tech details.

Windows Server 2008r2 Standard server.  Not running AD - the customer does not want AD at this time.  Most of the backbone network is run on Solaris machines serving data to Mac clients.  Users authenticate through the LDAP which includes all attributes of their positions and responsibilities.  I.E. the admins have an Admin flag on their accounts.  Limited use  of groups etc.
0
Comment
Question by:Campbelldw
  • 2
  • 2
5 Comments
 
LVL 4

Expert Comment

by:popesy
ID: 40463967
Hi

It's been a little while since I did LDAP stuff, but here goes;

I think Windows uses the LDAP protocol in AD anyway (just windows-ized); have you tried joining the domain as you would for joining a windows server to a windows domain (r-click computer > properties > etc..)?

Sounds like you may want to check out the SAMBA suite too (https://wiki.samba.org/), this helps Unix understand windowsy stuff.  I've done the opposite way around (UNIX to AD) and SAMBA works great for that.  Again, I am not sure if you need it, but there is a Unix service for windows that I used for Unix to AD.

Feed back and we'll try to nail it!

Cheers, JP.
0
 

Author Comment

by:Campbelldw
ID: 40465048
Alright, so joining the Unix/Linux domain is pretty straight forward.  What about authenticating accounts?  Can the user authenticate directly from the LDAP, same as in an Active Directory Domain, or does there have to be an individual account on the Windows machine which then reaches back to the LDAP?
0
 
LVL 4

Expert Comment

by:popesy
ID: 40466538
Hi

My understanding is that you would need that user defined in LDAP only.

In the past, doing this the opposite way around, it has always been the case that the account will be in the LDAP. Provided you can tell the Windows box to use the LDAP as the auth mechanism you should be good.   In a Unix you can define both local and remote authentication methods i.e. check local 1st, remote (LDAP/AD) 2nd) , however if you have accounts with the same name that is a problem!

I'm thinking there's probably some registry key setting to define what authentication mechanism gets used...hmm

Cheers, JP.
0
 
LVL 6

Accepted Solution

by:
Rob G earned 500 total points
ID: 40467558
I have tried this..
It doesn't work..
In 2k3 or prior it works without an issue..
In 2k8 you can modify the registry and use parts from the 2k3 OS to get it to work.
In 2k8R2 it simply does not work.. (Samba is not supported) (CIFS is)

You have really two, possibly three options, they all suck,  
1. You install a single sign on application that can talk to both AD and Pure LDAP.
Computer associates makes one, which is part of the Etrust software (works with Sun Directory)
2. You can setup a secondary Domain Controller (AD) and use that to replicate the data from the LDAP server to the AD side and use that to log into the windows servers.
3. You can see if you can get Kerberos to work, as long as the Unix side supports kerberos version 5.x or better, it should work.. (Microsoft indicates this still requires an AD server with trusts)
0
 

Author Closing Comment

by:Campbelldw
ID: 40571091
While not an ideal solution, it is about what was expected.  I have been trying to find another solution but have been unable to.  I appreciate your contributions.

Respectfully,

Dan
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The way I use Experts Exchange to assist me in analyzing and diagnosing a problem is I first enter a Verbose Question at Experts Exchange like: Office 2007 will hang when opening and saving files I then launch WordPad (any text editor will do) an…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now