Campbelldw
asked on
Authenticate Window 2008r2 agianst Unix Domain LDAP
My organization has a Unix Domain which runs an LDAP for authentication. We also have a couple of tools that run on Windows platforms only. Currently one of those tools is going through an update and the customer is looking to fully integrate this box into the network to include authentication. Any suggestions would be welcome as to how to do this.
Tech details.
Windows Server 2008r2 Standard server. Not running AD - the customer does not want AD at this time. Most of the backbone network is run on Solaris machines serving data to Mac clients. Users authenticate through the LDAP which includes all attributes of their positions and responsibilities. I.E. the admins have an Admin flag on their accounts. Limited use of groups etc.
Tech details.
Windows Server 2008r2 Standard server. Not running AD - the customer does not want AD at this time. Most of the backbone network is run on Solaris machines serving data to Mac clients. Users authenticate through the LDAP which includes all attributes of their positions and responsibilities. I.E. the admins have an Admin flag on their accounts. Limited use of groups etc.
ASKER
Alright, so joining the Unix/Linux domain is pretty straight forward. What about authenticating accounts? Can the user authenticate directly from the LDAP, same as in an Active Directory Domain, or does there have to be an individual account on the Windows machine which then reaches back to the LDAP?
Hi
My understanding is that you would need that user defined in LDAP only.
In the past, doing this the opposite way around, it has always been the case that the account will be in the LDAP. Provided you can tell the Windows box to use the LDAP as the auth mechanism you should be good. In a Unix you can define both local and remote authentication methods i.e. check local 1st, remote (LDAP/AD) 2nd) , however if you have accounts with the same name that is a problem!
I'm thinking there's probably some registry key setting to define what authentication mechanism gets used...hmm
Cheers, JP.
My understanding is that you would need that user defined in LDAP only.
In the past, doing this the opposite way around, it has always been the case that the account will be in the LDAP. Provided you can tell the Windows box to use the LDAP as the auth mechanism you should be good. In a Unix you can define both local and remote authentication methods i.e. check local 1st, remote (LDAP/AD) 2nd) , however if you have accounts with the same name that is a problem!
I'm thinking there's probably some registry key setting to define what authentication mechanism gets used...hmm
Cheers, JP.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
While not an ideal solution, it is about what was expected. I have been trying to find another solution but have been unable to. I appreciate your contributions.
Respectfully,
Dan
Respectfully,
Dan
It's been a little while since I did LDAP stuff, but here goes;
I think Windows uses the LDAP protocol in AD anyway (just windows-ized); have you tried joining the domain as you would for joining a windows server to a windows domain (r-click computer > properties > etc..)?
Sounds like you may want to check out the SAMBA suite too (https://wiki.samba.org/), this helps Unix understand windowsy stuff. I've done the opposite way around (UNIX to AD) and SAMBA works great for that. Again, I am not sure if you need it, but there is a Unix service for windows that I used for Unix to AD.
Feed back and we'll try to nail it!
Cheers, JP.