[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LDAP: possible problems with user authentication

Please don't top post

Germana Oliveira schreef:
So, you're telling me that ADS/LDAP do the same thing you can do just with LDAP (without the interface) .. i mean, a directory service. Groups, rights and security is manage by the OS itself ¿?.

What Active Directory does is to give you the facility to manage all those things together? But with Debian for example, and without AD, you can do it separately ¿? am i close?

Well i have to read a LOT.
Ldap is a certain database protocol designed for managing directory information. AD is implemented in ldap by specifying a certain set of properties that are queried against when the OS is determining user data. Combining samba with ldap, there are plenty howtos for having a ldap user authentication and domain configuration for windows clients on a Linux server. Printer access restricting can be dealt with from cups, files can be protected using the normal acl in Linux. You can also make certain devices r/w for certain groups only, thereby blocking other groups (as is standard in already Linux: you want to use usb-sticks? You must be a member of plugdev etc.) However, ldap is much more. Eg. you can have a different set of properties that allows your mail client to store its address book. Also, AD is a bit more than ldap. First, it doesn't use ldap authorization but kerberos, which is also available for Linux (kerberos-heimdal) and can be made working together with ldap. There are also some slight differences which make a Linux-samba server not a fully compliant windows server, which supposedly should be dealt with in samba v4 (see samba howtos for the details). By the way, there are a many nice tools for managing ldap databases. For user management, I'd recommend the web-based ldap-account-manager. And finally: don't believe in the bullsh*t that changing passwords is difficult. When properly set-up it is as hard ass doing a 'passwd' from any of the Unix clients/servers or using the password-change gui from any of the windows clients. The only trickery is the 'when properly set-up: use one of the many howtos! Keywords that I can come up with now are "samba windows domain server howto"


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: