ldap_integration
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
ldap_integration [2009/08/20 09:27] – 172.26.0.166 | ldap_integration [2010/08/31 19:25] – aorth | ||
---|---|---|---|
Line 2: | Line 2: | ||
ILRI uses an Active Directory server for user authentication, | ILRI uses an Active Directory server for user authentication, | ||
+ | |||
+ | ===== Implementation ===== | ||
+ | |||
+ | Active Directory integration will work if we use Likewise-Open. | ||
+ | * HPC must have the correct time (AD authenticates via Kerberos, which is heavily sensitive to time) | ||
+ | * HPC must be able to access AD on several TCP ports (kerberos, LDAP, etc) | ||
===== Notes ===== | ===== Notes ===== | ||
+ | ===== Apache Authentication ===== | ||
+ | It's possible to use Basic authentication via Active Directory in web applications. | ||
- | ==== Using '' | + | Make sure Apache has mod_perl installed and working first ('' |
+ | < | ||
+ | > install Apache2:: | ||
+ | |||
+ | Then add a stanza such as this to your Apache config: | ||
+ | < | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | # | ||
+ | | ||
+ | |||
+ | That stanza can go in a VirtualHost, | ||
+ | |||
+ | ==== Likewise-Open ==== | ||
+ | Open source standalone implementation of Samba, OpenLDAP, Kerberos, etc for Active Directory integration: | ||
+ | |||
+ | * open ports in Firewall (Active Directory, NTP, Kerberos) | ||
+ | * make sure time is in sync with the server! | ||
+ | * Likewise-Open has their own CIFS server but can also work with existing Samba installs I think | ||
+ | |||
+ | ==== Using ldapsearch on Linux ==== | ||
Try to search from a Linux machine which can talk to the AD server (HPC is behind firewall): | Try to search from a Linux machine which can talk to the AD server (HPC is behind firewall): | ||
+ | < | ||
+ | |||
< | < | ||
Enter LDAP Password: | Enter LDAP Password: | ||
Line 17: | Line 52: | ||
==== binddn ==== | ==== binddn ==== | ||
A note of possible interest regarding binding on Linux (from the [[http:// | A note of possible interest regarding binding on Linux (from the [[http:// | ||
- | < | + | < |
- | only accept binds on that port. You cannot bind as a user on port 389. I | + | You cannot bind as a user on port 389. I don't think they support TLS on port 389, but I have no tried in a |
- | don't think they support TLS on port 389, but I have no tried in a long | + | long time.</ |
- | time.</ | + | |
==== Domain controller vs. Global catalog ==== | ==== Domain controller vs. Global catalog ==== | ||
- | < | + | As ILRI has many AD domains and our users could be coming from anywhere, we need to query a server running the global catalog service instead of a normal domain controller. |
+ | < | ||
+ | on the standard LDAP port 389. However, domain controllers (including Global Catalog Servers) respond to LDAP | ||
+ | queries on port 389 with AD information from within its own AD domain only. Again, this works fine in a single | ||
+ | domain configuration but not in a multi-domain setup. Global Catalog Servers additionally listen for LDAP | ||
+ | requests on port 3268, Microsoft' | ||
+ | with AD information from the entire AD forest. In multi-domain AD environments, | ||
+ | ILRI Kenya has three Active Directory servers, and from what I can tell two of them run a global catalog: | ||
+ | * 172.26.0.218 <- running a global catalog (port 3268) | ||
+ | * 172.26.0.219 | ||
+ | * 172.26.0.220 <- running a global catalog (port 3268) | ||
===== pam_cgiar_ldap.c ===== | ===== pam_cgiar_ldap.c ===== |
ldap_integration.txt · Last modified: 2012/02/06 08:43 by aorth