1 |
On 7 Aug 2008, at 23:04, Andrey Falko wrote: |
2 |
> ... |
3 |
> As far as I know, don't take my word for it, in order to use Active |
4 |
> Directory on a GNU/Linux host, you need to setup LDAP and have it talk |
5 |
> to AD. Unfortunately I don't know how to do this, perhaps this will |
6 |
> help: http://www.linux.com/articles/40983 . |
7 |
|
8 |
Hi there, |
9 |
|
10 |
I understood Active Directory to be Microsoft's implementation of |
11 |
LDAP + extensions. Or maybe it's a Microsoft's entirely own way of |
12 |
doing a directory service, with LDAP support bolted on afterwards. |
13 |
Anyway, yes, Linux hosts should indeed be able to talk LDAP to an AD |
14 |
server. |
15 |
|
16 |
On a domain that I manage we authenticate over Samba instead. I can't |
17 |
entirely recall why I chose this method instead of AD, but I'm pretty |
18 |
sure there were good reasons for it at the time. Once Samba is |
19 |
configured to to do winbind - it obviously needs to know the name of |
20 |
the domain server &c - one installs the PAM winbind module and |
21 |
references it in /etc/pam.d/ for any Linux services one wishes to |
22 |
authenticate off the Windows server. Samba then, presumably, acts as |
23 |
a client to the domain server and says "user X, hash(password Y) |
24 |
wants to log on, is this ok?"; PAM passes the response back to the |
25 |
service the user is trying to use. |
26 |
|
27 |
I think winbind alleviates some need to deal with Active Directory. I |
28 |
really know nothing about AD - all I have to do is log on to the |
29 |
Windows server (SBS 2003) and add a user to the domain in the Server |
30 |
Management For Idiots program Microsoft so kindly provides. The user |
31 |
is able to authenticate on the Linux box immediately after restarting |
32 |
Samba (and the restart is probably only required because I've fouled- |
33 |
up the caching configuration, or something). I also use pam_mkhomedir |
34 |
so that when the user logs on to IMAP for the first time ~ is |
35 |
automagically created; I had to reject Courier-IMAP in favour of |
36 |
Dovecot in order to be able to do this, as IIRC Courier doesn't use |
37 |
the PAM type "session", and that's required to make pam_mkhomedir |
38 |
work (Dovecot doesn't actually need to use this type, but adds an |
39 |
option to open a PAM session specifically to enable mkhomedir to be |
40 |
used. This is a requirement of pam_mkhomedir, NOT pam_winbind). |
41 |
|
42 |
What I have enjoyed about winbind is that it has (so far!) made |
43 |
adding additional services easy. I needed to run an ftp server (allow |
44 |
only 127.0.0.1) on the Linux machine, so that Squirrelmail's vacation |
45 |
plugin could upload the users' vacation messages to their homedirs. |
46 |
To get the ftp service (net-ftp/vsftpd) to authenticate off the same |
47 |
credentials was as easy as copying the PAM settings for the already- |
48 |
working IMAP server to /etc/pam.d/ftp (although I see that each is |
49 |
"sufficient" instead of "required" in this case). I was quite |
50 |
surprised it worked so easily, quickly and smoothly. Anyway, any user |
51 |
can sit at their Windows workstation, CTRL-ALT-DEL and change their |
52 |
password and the IMAP server will now respect their new credentials, |
53 |
which is the important thing (for me). |
54 |
|
55 |
Stroller. |