Avatar of Campbelldw
Campbelldw
Flag for United States of America asked on

Authenticate Window 2008r2 agianst Unix Domain LDAP

My organization has a Unix Domain which runs an LDAP for authentication.  We also have a couple of tools that run on Windows platforms only.  Currently one of those tools is going through an update and the customer is looking to fully integrate this box into the network to include authentication.  Any suggestions would be welcome as to how to do this.

Tech details.

Windows Server 2008r2 Standard server.  Not running AD - the customer does not want AD at this time.  Most of the backbone network is run on Solaris machines serving data to Mac clients.  Users authenticate through the LDAP which includes all attributes of their positions and responsibilities.  I.E. the admins have an Admin flag on their accounts.  Limited use  of groups etc.
Unix OSMicrosoft Legacy OS

Avatar of undefined
Last Comment
Campbelldw

8/22/2022 - Mon
John Pope

Hi

It's been a little while since I did LDAP stuff, but here goes;

I think Windows uses the LDAP protocol in AD anyway (just windows-ized); have you tried joining the domain as you would for joining a windows server to a windows domain (r-click computer > properties > etc..)?

Sounds like you may want to check out the SAMBA suite too (https://wiki.samba.org/), this helps Unix understand windowsy stuff.  I've done the opposite way around (UNIX to AD) and SAMBA works great for that.  Again, I am not sure if you need it, but there is a Unix service for windows that I used for Unix to AD.

Feed back and we'll try to nail it!

Cheers, JP.
Campbelldw

ASKER
Alright, so joining the Unix/Linux domain is pretty straight forward.  What about authenticating accounts?  Can the user authenticate directly from the LDAP, same as in an Active Directory Domain, or does there have to be an individual account on the Windows machine which then reaches back to the LDAP?
John Pope

Hi

My understanding is that you would need that user defined in LDAP only.

In the past, doing this the opposite way around, it has always been the case that the account will be in the LDAP. Provided you can tell the Windows box to use the LDAP as the auth mechanism you should be good.   In a Unix you can define both local and remote authentication methods i.e. check local 1st, remote (LDAP/AD) 2nd) , however if you have accounts with the same name that is a problem!

I'm thinking there's probably some registry key setting to define what authentication mechanism gets used...hmm

Cheers, JP.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER CERTIFIED SOLUTION
Rob G

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Campbelldw

ASKER
While not an ideal solution, it is about what was expected.  I have been trying to find another solution but have been unable to.  I appreciate your contributions.

Respectfully,

Dan