Ask the Expert

Authenticating Linux with LDAP

Possibly one of the biggest questions in the world of computing today is "How can I make Linux and Windows play together?"

Requires Free Membership to View

I've been twiddling with this for some time now and have been able to successfully use items like Samba to get by temporarily. Winbind was also a nice new feature, but it didn't seem to do exactly what I needed.

In the end, what I want to do is authenticate my Linux systems, which are growing hand-over-fist, with an LDAP server. I know very little about LDAP and would like to know if an OpenLDAP server can replicate authorization information from a Windows NT PDC. In this way, I would not have to duplicate accounts on the Linux servers that are on the NT domain. Is this possible?

I am not quite sure what you mean by "play together," as I can come up with lots of interpretations:

  • Do you mean just authentication?
  • Do you mean full local logon with remote authentication only? Or do you mean with or without pre-existing home directories?
  • Do you mean Samba access will resolve users and groups to NT?
  • Do you mean NT/2K/XP/2003 authenticating to Linux? Or do you mean with or without home shares from Linux?

About Winbind

Winbind is a tool that allows authentication requests to be passed through to a remote CIFS server via a Pluggable Authentication Modules (PAM) interface. The main purpose of Winbind however is to provide user and group resolution to a UID/GID respectively, which can be used to reference objects that are stored within the file system. This username to UID mapping and group name to GID mapping is done in Linux via the Name Service Switcher infrastructure that is controlled via the /etc/nsswitch.conf file. Additionally, Winbind has a WINS resolver ability that is also capable of being hooked through /etc/nsswitch.conf, this facility does NetBIOS hostname to IP address resolution.

So in summary, Winbind is a bit like a Swiss Army Knife for resolver and authentication handling. The back-end can be another Samba server, an NT4 Domain Controller, or an ADS server on Win2K.

For Linux to use Winbind for authentication means you may need to use other PAM modules (like pam_mkhomedir.so) in addition to Winbind facilities.

It would help if I knew what you need that Winbind does not do for you.

Again, I may be misunderstanding your question.

About LDAP

LDAP can not be a distributed downstream partner of an Active Directory infrastructure. Windows NT 4-style domains do not interact at all with LDAP. If you want to use NT 4 domain accounts with Linux, then Winbind is just about your only choice. On the other hand, if you want to use Active Directory, you can authenticate Linux clients from it directly using PAM modules or using native Kerberos (either from MIT Kerberos or from Heimdal).

Another approach would be to use the Volution Technologies Inc. Volution Authentication Server (see http://www.sco.com) which provides full Active Directory integration for Linux and Unix systems, with full extension of the ADS schema to cover all Linux/Unix needs. Note: This is a commercial solution.

The other way around, you can store all your account information in an LDAP back-end, both for Samba and for Linux. At the Linux end you would use the PAM LDAP modules. Of course, all MS Windows clients could authenticate to that LDAP back-end via Samba.

So, you ask, is this possible? I am saying, "Yes!" But I wish I understood just exactly what you want to achieve so that my answer would be more to the point.
 

This was first published in March 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: