ILRI Research Computing

User Tools

Site Tools

You are here: start » ldap_integration
ldap_integration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
ldap_integration [2009/08/20 09:19] 172.26.0.166ldap_integration [2009/08/20 09:23] 172.26.0.166
Line 3: Line 3:
 ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services.  Active Directory is Microsoft's proprietary version of LDAP with a little extra special sauce.  Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC.  There exists functionality in Linux to look at Active Directory for user authentication. ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services.  Active Directory is Microsoft's proprietary version of LDAP with a little extra special sauce.  Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC.  There exists functionality in Linux to look at Active Directory for user authentication.
  
-==== Notes ====+===== Notes =====
 Try to search from a Linux machine which can talk to the AD server (HPC is behind firewall): Try to search from a Linux machine which can talk to the AD server (HPC is behind firewall):
 <code>[aorth@shamba: ~]$ ldapsearch -x -H ldap://172.26.0.218:3268 -b "dc=ilri,dc=cgiard,dc=org" -D "cn=bioinfohpc,cn=users,dc=ilri,dc=cgiard,dc=org" -W "" <code>[aorth@shamba: ~]$ ldapsearch -x -H ldap://172.26.0.218:3268 -b "dc=ilri,dc=cgiard,dc=org" -D "cn=bioinfohpc,cn=users,dc=ilri,dc=cgiard,dc=org" -W ""
Line 13: Line 13:
 DEC: 1317 – ERROR_NO_SUCH_USER (The specified account does not exist.) DEC: 1317 – ERROR_NO_SUCH_USER (The specified account does not exist.)
 NOTE: Returns when username is invalid.</file> NOTE: Returns when username is invalid.</file>
-Note from [[http://lists.samba.org/archive/samba/2007-April/131385.html|samba mailing list]]:+A note of possible interest regarding binding on Linux (from the [[http://lists.samba.org/archive/samba/2007-April/131385.html|samba mailing list]]):
 <file>AD domain controllers listen on the standard LDAPS port (636) and will  <file>AD domain controllers listen on the standard LDAPS port (636) and will 
 only accept binds on that port.  You cannot bind as a user on port 389.  I  only accept binds on that port.  You cannot bind as a user on port 389.  I 
Line 19: Line 19:
 time.</file> time.</file>
  
-==== pam_cgiar_ldap.c ==== +===== pam_cgiar_ldap.c ===== 
 +Someone hacked up a PAM module several years ago which could be dropped into a Linux server and allow AD authentication with minimal configuration.  See the documentation here: {{:cgiar-hpc-cop.doc}}
 <note warning>This no longer works! It relied on anonymous access to the AD server, but ILRI's Active Directory servers are configured to [[http://support.microsoft.com/kb/326690|disallow anonymous binds]].  These notes have been left here for reference only!</note> <note warning>This no longer works! It relied on anonymous access to the AD server, but ILRI's Active Directory servers are configured to [[http://support.microsoft.com/kb/326690|disallow anonymous binds]].  These notes have been left here for reference only!</note>
  
 This was working once, using a //slightly// customized PAM module, but broken when IT services disabled anonymous binding.  In order to use the module several steps are needed.  Download the module source and edit the code to point to the correct server, then compile it as shown below: This was working once, using a //slightly// customized PAM module, but broken when IT services disabled anonymous binding.  In order to use the module several steps are needed.  Download the module source and edit the code to point to the correct server, then compile it as shown below:
   * Compile the code:  ''gcc -fPIC  -c pam_cgiar_ldap.c''   * Compile the code:  ''gcc -fPIC  -c pam_cgiar_ldap.c''
-  * Link the code:  ''ld -x --shared -o pam_cgiar_ldap.so –lldap pam_cgiar_ldap.o''+  * Link the code:  ''ld -x --shared –lldap -o pam_cgiar_ldap.so pam_cgiar_ldap.o''
  
 **pam_cgiar_ldap.c**: **pam_cgiar_ldap.c**:
ldap_integration.txt · Last modified: 2012/02/06 08:43 by aorth