[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Samba setup w/ ldap vs NIS/NT domain

On Sun, 14 Apr 2002, Mike Danahy wrote:

>I do know that the iplanet directory server has an addon for NT
>Synchronization services that will allow the sams database and/or the NT
>user database to snyc up with an iplanet ldap server. There are two
>software packages, one gets installed on the iplanet ldap server and the
>other is installed on the NT server.  From what I have read commmunications
>takes place between servers in clear text; ahh--more work to make it
>secure.   I took this info from "Solaris and LDAP Naming Services" by Tom
>Bialaski and Michael Haines.

The LDAP support in Samba 2.2.3a is not clear text (well, depends on how you
define clear text ;-). What we did was add the Lanman & NT passwords to the
LDAP schema and Samba queries for them there rather than /etc/smbpasswd.
Thus it is the hash that passed back and forth from the windows box and
Samba, which is the same level of security (or insecurity if you prefer)
that you get authenticating against a NT4.0 server.

I believe they are working on the Kerberos support for win2k/xp in Samba 3.0.

It sounds like iplanet is enabling clear-text passwords on the Windows box.
I had a few beers with John Terpstra (of Samba fame) a year or so ago and
he rattled off a long list of things that break on a Windows box when you
enable clear text passwords (including the obvious "clear text passwords").
I can't remember the exact details, I figured that remembering "don't do that,
it's fundementally broken" was enough ;-)

>I guess one of the things I am getting out of this book and a couple of
>others is that LDAP or directory services adhere to standards in may ways,
>but their access control instructions can be vendor  specific and
>thus different.  This is a big "Oh Shucks!" because it only makes sense
>for budget straped schools to have operational transparency all across the
>board with differences saved for the front-end.  There are glue products
>out there that make them behave as one, but I suspect they require a
>chunk of time and monies.

Samba + Netatalk + LDAP does a pretty good job of glueing together 
everything in our shop. Too bad all operating systems didn't use PAM ;-)

As I mentioned in an earlier email, the initial setup of OpenLDAP can be
a bit daunting, but once you get it running its great. I can't imagine
life without centralized authentication and authorization.

>That being said, there is no doubt the industry will head the directory
>server route.  I suspect that everything from library automation
>systems to school management systems will be directory service
>enabled.  More vendors seem to be going this route!  Wouldn't it be
>nice if your school just purchased a library automation system and
>you only had to ldap point to your users instead of typing in another set
>of accounts.
>Our service unit will be doing everything ldap or directory server
>authentication/authorization next year.  Being faced with a situation
>similar to yours, but without a timeline yet, we will probably take
>advantage of the commercial iplanet directory server software and use
>links in openldap to the things we need.  Having one stop shopping
>autorization/authentication and large scale management of computer
>resources is only possible with directory services.
>On another note, I have heard that Novell's NDS and OpenLdap work real
>well together.

I've always been impressed with NDS. Too bad it's too expensive for us :-(


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]