| |
| |
| |
|
Page: 1 2
Comments:
<0> Quick question... How do I set a user to multiple groups properly within ldap?
<0> I'm also doing this within phpLDAPadmin (my only access)
<1> anyone store ssl certs in ldap here?
<1> X.509 certs, I mean
<2> hello everybody, i was reading a paper from sun microsystems, and then they say that a slapd must not be a client at the same time, so, if that is tru, whay a ldap.conf file lives on my operating system
<3> Heh all
<3> Hello
<3> How would I go about retrieving a public key programatically using LDAP?
<4> hi, i got a question which kinda falls between two chairs... anyone have experience using LDAP as a source for account into on MacOS X ?
<5> I've a openldap server which is now serving posix accounts for tru64,linux,solaris and hpux. Is it posible to use this server for Microsoft also or will the config of /etc/ldap.conf limmot this? (because of specific nss_map options that are needed for MS, and the unix part may not be working anymore after changing these)
<5> s/limmot/limmit/
<3> Are you going to be using Kerberos?
<5> Only if needed.
<5> I'm not using a kereberos server at this moment.
<3> I didn't think MS could use LDAP for auth..
<6> shure you can
<3> Using Samba?
<3> And configuring it as a PDC?
<6> that too, but there's a module named pGina you can use to authenticate to ldap directly without samba.. you will miss out on domain-functionality etc, but you will have central logon
<5> Well, I'm suere you can, but I wonders it can be mixed with a existing unix setup or that the 'pam' part will bite such a config. I am not configuring anything right now. just gathering info :-)
<5> pGina?
<7> tiswat, samba should interoperate ok
<5> I'll look after that. But I think that I need domains.
<7> with your existing setup
<7> so ?
<3> I would think that Domain authentication will give you the greatest flexility
<5> Well, samba is for fileshareing (or am I missing somthing? ) And I want login (domain) authentication also (s/ I /some clients/ :P)
<7> tiswat, windows authentication is tied so much into SMB that samba has to implement it
<7> so ... samba can provide you all the authentication bits you need for Windows stuff
<5> So I am looking for a ADS replacement
<3> tiswat: correct
<7> (unless you need ADS-specific features such as Group Policy Objects)
<3> PADL has one
<7> in which case you need samba4 or XAD (from PADL)
<3> But Samba should do just fine (I would think)
<5> Mmm, some reading to do. I am not into windows, (And hoped that I should not :P)
<5> I can use all kinds of schema's to make my server understand MS, but I fear after reading the sparse pam_ldap documentation that I have to modify /etc/ldap.conf that much that it wont work for posix auth anymore.
<5> A samba setup is not a problem but my client/colleage wants/needs more
<7> bull
<7> whatever you're reading is invalid
<5> lol
<7> the only difference between a unix-only pam_ldap/nss_ldap setup, and one that works with samba is that computer accounts must also appear as unix users
<7> so 'getent p***wd computername$' must work
<7> that may mean:
<7> 1)you create computer accounts in the same container as user accounts
<7> 2)you change your nss_base_p***wd setup
<7> 3)you add an additional nss_base_p***wd entry (nss_ldap supports having multiple nss_base_* entries)
<5> Ok, so f.e. "nss_map_objectcl*** posixAccount user" wont exclude the standard use of objectcl*** posicAccount ?
<5> (same for p***wd hashed etc.)
<5> I can imagine that MS does not like 'crypt'
<5> Which is now my default since that is the only common hash on all other platforms..
<7> hmmm, why do you need to do objectcl*** mapping ?
<7> p***word hashing is irrelevant
<7> (since samba stores p***words in its own attributes, sambaLMP***word and sambaNTP***word)
<5> According to what I've red: If I want domain auth: MS uses its own objectcl*** names (such as 'user' if they mean posixAccount).
<5> And a lot of other alikes according to the hashed out examples in /etc/pam.conf
<5> shadowlastchange is a other one I'm using for unix, but MS wants pwdLast Set.......
<5> So that is the reason I fear that one server can be configured for unix OR ms, and not both. Filesharing is not enough.
<5> If it cant be done, I'll have to tell the guys to build there own ADS.
<5> But since they are nice guys, (even touch a bit windows minded) I told them to give is a try.
<7> tiswat, where does "MS" fit in here ????
<7> in the samba scenario, the only thing "MS" speaks to is samba
<7> samba talks to LDAP
<7> samba interoperates fine with standard-track RFCs and nss_ldap (it *has* to)
<7> tiswat, do you want a windows DC, or a samba DC ?
<7> windows DC == AD, samba DC == LDAP
<7> while some attributes are different (specifically relating to p***word expiry), I think the smbk5pwd module for OpenLDAP may solve at least some issues
<7> tiswat, you seem to be confusing using nss_ldap/pam_ldap to authenticate unix machines to AD, with running a DC on samba
<8> hi
<4> how do i know what is a structural object cl***?
<8> i try to implement a simple lda protocol handler. but i have problems to understand the ber encoding
<4> like, i have users which are based on posixAccount, but their structural object cl*** appearances to be account.... and account specifies 'userid' instead of 'uid'
<8> i get an identifier "universal", of type "sequence"
<8> but i'm unsure how to interprete the following bytes
<5> I need a AD server. To server windows clients for authentication. Not a samba implementation so that my unix boxes can talk to windows boxes.
<5> And I want this AD functionaliy on my already existing unix-tuned openldap server
<5> A one size fits all setup.
<5> So, in my humble opinion, schemafiles, and the MS-windows users can fit on the same machine, but authentication using /etc/opemldap cant serve both.
<9> hi
<5> If I have to use objectcl*** translations (which I am not using now) will the ol' unix authentiction still work?
<4> ok, i switched over to person as the structural object cl***...
<5> I think the following is NOT true: a windows node asks for object cl*** 'user' ; ldap.conf will anwer: no, what you realy want objectcl*** posixAccount; here is your info! (and translates it back to the requesting server)
<5> But if this is not the case; why are there translations needed?
<5> Or the users of the AD part may not mix up with the posix users. Sorry but I am still puzzled.
<5> But if someone ensures me that it can be done and /etc/ldap.conf wont be a roadblok I can walk the path of searching and debugging......
<9> tiswat: what do you mean by 'users of the AD part' ? samba 3.x can't act as an AD PDC
<4> pinchartl: someone on this channel claimed otherwise
<7> tiswat, I have a samba domain controller
<7> I have joined my windows box to the samba domain
<7> I log in with my p***word that is stored in LDAP in the sambaNTP***word attribute
<7> for this to work, all users that samba can authenticate (including machien accounts) must be accessible as "Unix" accounts
<7> so, machine accounts can be objectcl*** inetOrgPerson (or something else as structural) and objectcl*** sambaSamAccount
<7> no objectcl*** or attribute mapping is required
<7> it all works cleanly
<5> _ranger_, if i understand you, the first login (after powering up the MS node ) to the windows OS is authenticated by a none-ads server ( and not only file shares?)
<7> SAMBA CAN BE A DOMAIN CONTROLLER!!!!!
<7> so, yes
<7> I have no AD servers
<7> my windows 2003 server (which I am using as my Windows desktop) authenticates everything against my linux laptop running samba
<7> which stores all the information in LDAP
<7> in the same entries I use to login to my laptop (I have no local accounts)
<5> Ok, ok, dont shout to me, I was only verifying ;-)
<7> I've implemented this a number of times for small companies
<7> tiswat, it's only taken about an hour for you to understand that samba can be a domain controller ....
<5> So I dont need any native ADS schemes only the samba schemes.
<7> yes
<9> tiswat: samba 3.x can be an nt-style domain controller, but not an AD domain controller. all windows versions so far support nt-style domain membership
<5> Not to bug you with irritating questions, but why are there so many references on the net by people trying to convert ADS schemes when samba takes care it? But I am happy with your verdict that samba works..
<7> tiswat, it is for the other way around AFAIK
<7> e.g., people wanting to store unix information in AD
<7> or people wanting to authenticate unix servers against AD (without schema changes)
<5> Poor people/
<9> tiswat: there are worse problems. try to get outlook to work with anything else than ms-exchange and you'll feel what pain really is
<5> But thanks again for your time and patience, _ranger_ .
<5> pinchartl, exchange would not be a problem because they only want to connect servers and not clients.
<5> I presume therefore that they dont need the toys from office.
<5> (that is at least what I hope)
<6> uhm.. anyone ran exchange in a samba-environment? exchange needs some misc local settings anyways.. don't know how hard its connection is to AD
<5> I'll keep your your comments in mind pinchartl.
<9> Gagatan: I'm trying to get rid of exchange (5.5)
<6> exchange doesn't scale very well unless you use 50MB quotas and 500-1000 users per server :P
<7> Gagatan, we have 128MB quotas and ~ 100 users per exchange server
<7> our part of the company of course runs > 1 million mailboxes on about 16 servers (non-exchange of course!)
<6> yep.. most of our users are on cyrus anyways
<10> hi all. does anyone have any ideas how i can fix my db environment? when i try to start slapd, i get this in the logs: openldap "Program version 4.3 doesn't match environment"
<7> what version is slapd linked to, and what software have you got installed that is linked to 4.3 ?
<10> it's linked to 4.3.27. i checked the version and it had been updated to .29, so i put .27 back in, but thats what i get now
<9> Gagatan: I only got 20 users :-)
<9> I replaced exchange with postfix/cyrus, but the groupware functions (contacts & calendar) are a bit harder to provide
<10> ah, db_recover -v -h /path fixed it :)
<10> should have searched harder, sorry for the noise.
<7> of course it fixes it, but what caused it ...
<7> since, if your slapd has always been linked to 4.3.x, something else has been opening the database
<10> i think suse auto updated the db libs.
<11> hi, morning, it's there something to reconstruct the bdb_db ?
<11> always the light's go down, the slapd database, kicks ***.
<7> backblue, what version of slapd ?
<11> 2.2.29
<11> in this case.
<7> well, either:
<7> 1)upgrade to 2.3
<7> or
<7> 2)run db_recover on each database before slapd starts
<7> in both cases, ensure you have a checkpoint set for each database in slapd.conf
<11> each? i think i only have one.
<7> in the 2.2 case, you then also need to run db_checkpoint as the user slapd runs as periodically
<11> checkpoint? i dont know what its that, point me to it please.
<7> backblue, I'm being generic (and I have 5)
<7> see slapd.conf(5)
<7> (e.g. 'man slapd.conf')
<11> ok
Return to
#ldap
or
Go to some related
logs:
+bittorent-gui +font
#suse
#kernel
#css
config.layout +suse +apache2
#perl
#linux
ubunut show ip command
windowmaker modular-x
ubuntu wpe config
|
|