ldap_integration
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
ldap_integration [2009/08/18 09:57] – alan | ldap_integration [2009/10/21 06:59] – 172.26.0.166 | ||
---|---|---|---|
Line 1: | Line 1: | ||
===== LDAP Integration ===== | ===== LDAP Integration ===== | ||
- | ILRI uses an Active Directory server for user authentication, | + | ILRI uses an Active Directory server for user authentication, |
- | <note warning> | + | ===== Notes ===== |
- | The Active Directory server must not only be a domain controller, but must be running | + | ==== Likewise-Open ==== |
- | * 172.26.0.218 <- running a global catalog | + | |
+ | * open ports in Firewall (Active Directory, NTP, Kerberos) | ||
+ | * make sure time is in sync with the server! NTP must be configured correctly before installing AD integration | ||
+ | * Likewise-Open has their own CIFS server but can also work with existing Samba installs I think | ||
+ | |||
+ | ==== Using ldapsearch on Linux ==== | ||
+ | Try to search from a Linux machine which can talk to the AD server (HPC is behind firewall): | ||
+ | < | ||
+ | |||
+ | < | ||
+ | Enter LDAP Password: | ||
+ | ldap_bind: Invalid credentials (49) | ||
+ | additional info: 80090308: LdapErr: DSID-0C090334, | ||
+ | According to the web this error means the user does not exist. | ||
+ | < | ||
+ | DEC: 1317 – ERROR_NO_SUCH_USER (The specified account does not exist.) | ||
+ | NOTE: Returns when username is invalid.</ | ||
+ | ==== binddn ==== | ||
+ | A note of possible interest regarding binding on Linux (from the [[http://lists.samba.org/archive/samba/2007-April/ | ||
+ | < | ||
+ | You cannot bind as a user on port 389. I don't think they support TLS on port 389, but I have no tried in a | ||
+ | long time.</ | ||
+ | ==== Domain controller vs. Global catalog ==== | ||
+ | As ILRI has many AD domains and our users could be coming from anywhere, we need to query a server running the global catalog service | ||
+ | < | ||
+ | on the standard LDAP port 389. However, domain controllers (including Global Catalog Servers) respond to LDAP | ||
+ | | ||
+ | | ||
+ | requests on port 3268, Microsoft' | ||
+ | with AD information from the entire AD forest. In multi-domain AD environments, | ||
+ | ILRI Kenya has three Active Directory servers, and from what I can tell two of them run a global catalog: | ||
+ | * 172.26.0.218 <- running a global catalog (port 3268) | ||
* 172.26.0.219 | * 172.26.0.219 | ||
- | * 172.26.0.220 <- running a global catalog | + | * 172.26.0.220 <- running a global catalog (port 3268) |
+ | |||
+ | ===== pam_cgiar_ldap.c ===== | ||
+ | Someone hacked up a PAM module several years ago which could be dropped into a Linux server and allow AD authentication with minimal configuration. | ||
+ | <note warning> | ||
- | This was working once, using a // | + | This was working once, using a // |
* Compile the code: '' | * Compile the code: '' | ||
- | * Link the code: '' | + | * Link the code: '' |
**pam_cgiar_ldap.c**: | **pam_cgiar_ldap.c**: |