Re: [nssldap] some questions regarding Active Directory <--> NSS Ldap

[Prentice Bisbal <prentice [at] ias.edu>]

I can understand your trepidation with learning/setting up Kerberos, but
I have to agree with Jeff. It's really easy to set up kerberos, and if
install the right packages, it just works.

I was scared of kerberos, because I'd heard so many bad things about it,
then I read the O'Reilly kerberos book, and was socked at how simple it
is to set up. Much easier than even LDAP.

Even if it's not right or too late for this project, I highly recommend
to you become familiar with it for possible future use.

Prentice

Jeffrey Watts wrote:
> Yeah, I'm not sure how to help you at this point, since I haven't worked
> with pam_ldap much.  I will say that using pam_krb5 is much simpler than
> that, and that you ought to seriously take a look at it.
> 
> The /etc/krb5.conf file is very easy to set up, and once it's set up
> Kerberos auth tends to just "work".  To be honest only 5% of my effort
> was in getting Kerberos working, another 20% was in getting nss_ldap set
> up to map attributes correctly, and the other 75% was securing the
> connection and other issues (like trying to make that POS nscd work).
> 
> Jeffrey.
> 
> 2010/2/23 Илья Шипицин <chipitsine@gmail.com <chipitsine [at] gmail.com>>
> 
>     yes, I can specify base as DC=mydomain, but from technical point of
>     view  user can be at CN=subdivision1,CN=sites,DC=mydomain and I
>     cannot predict it definetely. So, I have to bind first using
>     proxy-user and determine (i.e. search) for
>     (&(objectClass=user)(sAMAccountname=xxx)), but that's not enough,
>     because when proxy user finds DN it cannot read password-related
>     field from AD (in order to perform pam "auth" operation). so, there
>     must be second operation, i.e. bind with
>     cn=xxx,CN=subdivision1,CN=sites,DC=mydomain and pam-supplied
>     password. the question is: can pam_ldap perform such an operation or
>     not.
> 
>     23 февраля 2010 г. 22:27 пользователь Jeffrey Watts
>     <jeffrey.w.watts@gmail.com <jeffrey.w.watts [at] gmail.com>> написал:
> 
>         Ah, I understand.  I don't see a way around your problem then. 
>         If admins can simply add OUs willy-nilly, then you will always
>         have problems (unless you specify the root of the domain as your
>         search base).  We have that problem to a limited extent
>         (executives are in their own container for some silly reason),
>         but the list of exceptions is very small here.
> 
>         Jeffrey.
> 
>         2010/2/23 Илья Шипицин <chipitsine@gmail.com
>         <chipitsine [at] gmail.com>>
> 
> 
>             in multi-site AD there many OUs with users. and when
>             proxy-user reads
>             AD, it cannot read userPassword attribute (which is possible
>             in case
>             of OpenLDAP).
>             there no readable password-field in case of Active
>             Directory, so proxy
>             user only can "find" where actually certain user  "lives",
>             but after
>             that there must be second operation: bind with supplied
>             credentials
>             (yes! we already found the full DN!), also, despite numerous
>             nss_base_* variables... administrators just add OU as they
>             want to, I
>             cannot predict that. So, I cannot specify all the OUs.
> 
> 
> 
> 
> 
> -- 
> 
> "He that would make his own liberty secure must guard even his enemy
> from oppression; for if he violates this duty he establishes a precedent
> that will reach to himself." -- Thomas Paine